NYCPHP Meetup

NYPHP.org

[nycphp-talk] Filtering form input

edward potter edwardpotter at gmail.com
Thu Jul 27 19:53:22 EDT 2006 

Using Javascript to handle all of this also give nice feedback to your
users. Back that up (of course!) with the php tips here, and you are
pretty set.

-ed  :-)



On 7/27/06, Aaron Fischer <agfische at email.smith.edu> wrote:
> Greetings listers,
>
> I'm working on some new forms and would like to make them more secure by
> filtering the input.  I recently purchased and have at least partially
> digested Essential PHP Security by Chris Shiflett and The PHP Anthology
> by Harry Fuecks.  Based on this material I can see two possible paths ahead.
>
> 1.  Use the clean_array() approach and filter input data using PHP
> methods and/or regex expressions.
> 2.  Install the Pear package HTML_QuickForm and use for validating
> (filtering) input data.
>
> I was leaning toward #1 but have very little experience with regex.
> It's probably implausible, particularly given time constraints, for me
> to attempt to build regex expressions for my form fields.  Are there any
> resources online for regex expressions that people would recommend for
> filtering input?  Secondly, in Chris's book I see ctype_alnum() and
> html_entities() as two methods recommended to use for filtering.  Are
> there other PHP methods folks would recommend?
>
> I slogged through Pear and HTML_QuickForm a bit.  I haven't worked with
> Pear packages yet and am in a shared hosting environment, so I'm
> currently attempting to see what, if anything, is enabled and/or
> installed for Pear on my server.
>
> Would appreciate any advice or recommendations for how to proceed with
> either method #1 or #2.  At this point I would be satisfied with minimal
> improvements to security as it would be a step in the right direction
> and I can improve my filtering techniques during the next project.
>
> Thanks,
>
> -Aaron
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>

More information about the talk mailing list