PHP and Ajax String Input/Output Handling Scenario
I'm still new to String Processing in PHP. Below is a diagram of what I am currently doing. Ultimately, I would like to get a generic methodology for handling strings in the below scenarios. Note that the text tends to be a lot of math symbols and code syntax in this scenario.
The strings and integer are input via a standard HTML-based form (I forgot to mention that in the diagram).
Step A currently uses: mysql_real_escape_string(input);
Step B currently uses:
htmlentities($string2)
- nothing for
$string1
- nothing for the integer
Questions:
- Regarding MySQL injection, is mysql_real_escape_string sufficient to guard against this?
- I still need to finish processing the output for String1. Note how the text is actually used in two different places: HTML and Canvas. htmlentities at step B would make code syntax appear properly on the HTML5 Canvas but not in the HTML. Vice-versa for leaving it out (HTML syntax breaks the Page). Is there a JavaScript function that is identical to PHP's htmlentities?
- int form should be validated to make sure it is an int.
- String2 ouputs "null" to the HTML when I use this character ('–') which is not the standard minus-sign character ('-').
- Magic Quotes is turned off. However, if I run the script on a server with it enabled, I need a short script that goes: IF开发者_运维百科(magic quotes is enabled){turn off magic quotes}.
- What did I forget in regard to form validation?
If my approach is totally wrong, set me straight and help me get this straightened out once and for all. You can describe your solution in terms of A, B, C, D and E if you think that is helpful. Thanks in advance.
mysql_real_escape_string()
will properly escape your code- (A) On the JavaScript end, jQuery's
.text()
method will properly escape code before outputting it to the page. (B) Check out PHP.js. It's a JavaScript library that replicates PHP functionality, and includeshtmlentities()
andhtmlspecialchars()
. http://phpjs.org/ - As for the integer, you can use the
ctype_digits()
function to ensure that it is a numeric value; and you can also use some form of type hinting:$int = (int) $int;
. - I agree with the gentleman who recommended trying
htmlspecialchars()
. - Try to keep magic quotes off. It's a horrible feature, and will be removed in a future release of PHP. If you need to include protection against magic quotes, try something similar to the code below. (see bottom of post)
- It's hard to say without seeing your code, but it seems like you are on the right track.
-
if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {
$func = function(&$val, $key) {
if (!is_numeric($val)) {
$val = stripslashes($val);
}
};
array_walk_recursive($_GET, $func);
array_walk_recursive($_POST, $func);
array_walk_recursive($_COOKIE, $func);
unset($func);
}
- Yes
- -
- -
- Use
htmlspecialchars
, htmlentities is not necessay. You're getting a NULL because you probably have a charset problem. - If you see that magic quotes are enabled, it's already too late and need to reverse the quoting manually.
I still didn't understand what want to do.
1) Not sure if it's enough, but you can also try using prepared statements (PDO), which guarantees full sql injection protection + small perfomance boost if you use some quesries more than once in the same script.
3) just cast to int - (int)$string
5) wow, that must be some archaic servers..
I think you're kinda overreacting in terms of security. If you really need to be secured, use prepared statements when talking to database, and use some kind of HTML purifier (like this one: http://htmlpurifier.org/) for cleaning html output (preventing XSS)
精彩评论