Internet is full of spam bots, autosubmitters, malicious users and worms that can compromise the security of your website at any given time, therefore you should be suspicious of any data you receive via GET/POST variable in your system.
Among the nasty things that could happen to your system when you don’t filter your data is, SQL injection, Script Injection, Email abusing and Remote Execution the attacker could deface your website or even wipe your entire database if you’re not careful with it.
One of the way to filter your data is to use preg_match to write regex rule for the variable that would be accepted.
However I find writing preg_match sometimes can be tiring, and that’s why I use owasp php filters to simplify the work for me. It consists of one function sanitize(), that take the variable that you want to filter and an option.
The option may be any of this value PARANOID,HTML,INT,FLOAT,LDAP,SQL,SYSTEM and UTF-8 that filters the type of data accordingly. For example if you want your variable to contain only floating-point number, then you can code it like this :
< ?php
require('sanitize.inc.php');
$var=100.50;
$float = sanitize($var,FLOAT);
?>
I isn’t much, but surely it will simplify your php coding a bit more, the other option is self-explanatory save PARANOID, which means that the variable will contain only alphanumeric character after sanitize.
SQL is handy if you want to include the variable value inside an SQL statement, this will avoid the risk of the notorious SQL injection which will affect the security of your data.
you can download OWASP PHP filter here
[tags]php,security,filters,mysql,sql,sql injection,injection[/tags]
hey papit,
i didn’t realize such library exists. this is pretty interesting, will try out for my other projects.
thanks for sharing.