looking for straight answer - what's the safest or joint-safest way to validate data?

**blm126** · 09-12-2006, 01:17 AM

well in php the just call exit();

**Birmingham** · 09-13-2006, 08:50 AM

which php function(s) is/are best for preventing PHP Injection. is my question clearer now? If so, please help. No need for the sarky comments.

**Twey** · 09-13-2006, 12:21 PM

"PHP injection?" As in, uploading and executing a malicious PHP file? You just need to check the extension on uploads.

**Birmingham** · 09-14-2006, 10:16 AM

PHP Injection, as in submitting malicious code to a php script that processes form or cookie data (via $_GET / $_POST / $_COOKIES ...etc). Any ideas?

**Twey** · 09-14-2006, 05:00 PM

submitting malicious code to a php script that processes form or cookie data (via $_GET / $_POST / $_COOKIES ...etc).

You're perfectly safe: the data will not be run. However, it may be executed in some form depending on what you next do with it. That's the critical bit.

**Birmingham** · 09-15-2006, 08:44 AM

exactly - so what should i first do with it to make sure it isn't executed?

I'm very aware that i must properly validate information in a secure and recommended way immediately upon assigning it to any new variables before working with it. What i haven't a clue about is what functions to use to properly and securely validate that info. u might just say any - but i'm looking for some1 who knows which are the best.

can anyone help? are you the only properly active person in this forum twey? *lol

**mwinter** · 09-15-2006, 01:01 PM

Originally Posted by Birmingham

exactly - so what should i first do with it to make sure it isn't executed?

Don't pass user input to functions like eval or shell_exec.

I'm very aware that i must properly validate information in a secure and recommended way immediately upon assigning it to any new variables before working with it. What i haven't a clue about is what functions to use to properly and securely validate that info. u might just say any - but i'm looking for some1 who knows which are the best.

As I tried to point out, the "best" functions depend on how you are using the data. Sending the data back to the user as HTML requires different treatment than data that is to be e-mailed or added to a database. There is no silver bullet.

Mike

**tech_support** · 09-16-2006, 04:57 AM

The safest way - Don't send the data at all.

**Birmingham** · 09-16-2006, 09:12 AM

Originally Posted by tech_support

The safest way - Don't send the data at all.

true, tech_support. that's the method i'm currently using but i need to change to add functionality. there's little point in me removing server-side scripting and reducing functionality when i could still get hacked though my host.

mwinter - as i said before i'm looking to prevent php injection, not sql/databases/html/anything else! i think i've got the html sorted now i just want to secure from php injection! only to process form data in php scripts without my server security being compromised at that point.

any ideas anyone? any bullets for this clear target?

**Twey** · 09-16-2006, 12:04 PM

"PHP injection" is not a technical term, since it doesn't exist. It sounds to me as if you're expecting data submitted to your PHP script to be automatically executed somewhere along the way, thus compromising your security. It isn't. It's nothing more than a string until you pass it to something that tries to execute it in some form, such as eval(), shell_exec(), mysql_query(), or a browser (or a file, if that file has the wrong permissions/filename). Unless you are passing it to such a function, there is nothing to worry about.

Thread: looking for straight answer - what's the safest or joint-safest way to validate data?

Thread Tools

Search Thread

Bookmarks

Bookmarks

Posting Permissions