home

jumping on the “escape input, filter output” bandwagon

Buy Himcolin No Prescription Tenormin No Prescription Chitosan For Sale Buy Requip Online Buy Online Soma Buy Vasotec No Prescription Proventil No Prescription Zoloft Ultram For Sale Buy Lukol Online Buy Online Lexapro Buy Ultram No Prescription Styplon No Prescription Imitrex For Sale Buy Lincocin Online Buy Online Coumadin Buy Accutane No Prescription Prozac No Prescription Calan For Sale Buy Tentex Royal Online Buy Online Emsam Buy Snoroff No Prescription Lasuna No Prescription Brafix For Sale Buy Toprol XL Online Buy Online Kytril

It’s true, I’m jumping on board the “escape input, filter output” bandwagon. This mantra, coined by Chris Shiflett of Brainbulb, and made oh-so-popular by my pal Ben Ramsey.

Here’s how I do it in my most recent PHP project, using PHP’s PEAR DB library (because it was MySQL, and now it’s postgreSQL):

For escaping:

$data_from_user_clean = $dbh->escapeSimple($data_from_user);
$stmt = $dbh->prepare(”INSERT INTO table (thing) VALUES (?)”);
$sql_data = array($data_from_user_clean);
$dbh->execute($stmt, $sql_data);

PEAR DB’s escapeSimple will perform the equivalent of mysql_real_escape_string() or whatever db implementation you’ve got. Also, the prepare statement is pretty robust, ensuring that whatever gets plopped in is a value, and not just inserted into the statement using PHP’s “.” concatentation.

For filtering:

$something = $dbh->getOne(”SELECT something FROM …”);
// .. check $dbh for error
$something_filter = filter_output($something);

Which whips out, among a few other things (on arrays and single pieces of data):

$to_return = htmlentities($something, ENT-QUOTES, “UTF-8″);

I’m also using Smarty Template Engine for every piece of displayed code, which serves as a great variable modifier and “filterer” of bad-ness. Also, I’ve got my templates locked away from the html doc root, and apache/nobody/httpd does not own them.

Locked down? Somewhat. She’s getting there.

This entry was posted on Sunday, August 28th, 2005 at 3:08 pm and is filed under techno-babble. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

One Response to “jumping on the “escape input, filter output” bandwagon”

  1. lumpy
    August 29th, 2005 17:09
    1

    What functions are you using smarty for?

Leave a Reply

Type the word "seebq" here:

« Atlanta PHP September Meeting
securing me from myself? »