Warning: Undefined array key "HTTP_X_FORWARDED_PROTO" in /var/www/spa/wp-config.php on line 24
Injection – Security Performance Architecture https://www.securityperformancearchitecture.co.uk Thu, 07 Jun 2018 16:24:06 +0000 en-US hourly 1 https://wordpress.org/?v=6.9.4 https://www.securityperformancearchitecture.co.uk/wp-content/uploads/2018/06/cropped-favicon-1-192x192_dd7056e93dc7dfe9a63610e24a36e689-50x50.png Injection – Security Performance Architecture https://www.securityperformancearchitecture.co.uk 32 32 Sanitising User Input https://www.securityperformancearchitecture.co.uk/sanitising-user-input/ https://www.securityperformancearchitecture.co.uk/sanitising-user-input/#respond Thu, 29 Jan 2015 15:57:58 +0000 https://www.securityperformancearchitecture.co.uk/?p=286 Some days you need to get user input from a bit of an HTML form that wasn’t really designed for it, in order to get a great UX.

This means that the input get’s passed around through JS, AJAX, PHP and goodness only knows what before it turns up in the right place.

How do we make sure it’s safe to add to a SQL query?

Of course we can use PDO, but how about the general case?

$Words=str_replace(“\xA0″,” “, mysqli_real_escape_string($link,html_entity_decode(strip_tags(preg_replace(‘!\s+!’, ‘ ‘,trim($Words))))); $pieces=explode(” “, strip_tags($Words)));

Something just says this is plain wrong, but it’s working for me.

In this particular use case I’m trying to break up a user provided “sentence” into a set of words, which I then do stuff with.
So is particularly difficult to parse here when things get pasted.

I’m sure the above approach is wrong, would anyone like to tell me how to do it better?

]]> https://www.securityperformancearchitecture.co.uk/sanitising-user-input/feed/ 0