Answer the question
In order to leave comments, you need to log in
G
G
Gish2019-10-19 23:46:56
Gish, 2019-10-19 23:46:56
How does PHP POST & GET filtering look and work?
Hello. I use this function to filter GET and POST
function formatstr($str)
{
$str = trim($str);
$str = stripslashes($str);
$str = htmlspecialchars($str);
return $str;
};
$login_name=formatstr($_GET['login_name']);For the test, I tried to drive $login_name into the output line from the database - the database gives an error.
I tried to display $login_name via echo - as there were other garbage - it remained. How does this feature work? I thought that all quotes and tags would be removed, but in fact they remain. Why not use regular expressions for this?
'"<script> 2 answer(s)
@Gish
I understand that this statement does not fit the head of a person who studied PHP in video courses, but this is a fact.
By themselves, HTTP POST & GET requests do not carry any threat and somehow they do not need to be filtered in advance.
In general, it is necessary to filter not according to the principle "from where", but according to the principle " where to ".
Data needs to be formatted based on where it goes, not where it came from. The SQL query is absolutely purple, where did the quote in the data come from - from a GET, a file on disk, or from another database. Data for SQL must be formatted correctly, not because they came from GET, but because they go to SQL.
(At the same time, one must also understand that a SQL query and a database are not the same thing. The database also doesn’t care what it contains. We do any formatting only for the SQL query, and the database should again be as it is).
If everyone thought like you, then you would not be able to ask your question on the Toaster. Because without quotes and tags, it would turn into nonsense. As well as a bunch of other questions.
Of course, "garbage" should not be deleted, but formatted. Because this is "garbage" only for SQL, and for a person this is the necessary information that helps to read the text.
No, of course not.
Using regular expressions would be as stupid as your function.
In order to place a variable in an SQL query, you must use substitutions in prepared expressions. Remember this offer. It is the most important thing you have learned so far about PHP. Remember well, you should know this better than the names of mom and dad. And never deviate from this rule. It doesn't matter whether you need protection against SQL injection or not, whether the data came from POST, or the Lord God dictated it to you on Mount Sinai - all the same, always and everywhere only through substitutions.
So.
1. You throw out your function in the trash. The only word that makes any sense there is trim(). Well, you can call it directly.
2. Judging by the level of the code and the question, you use poor mysqli to work with the database. Therefore, forget about mysqli_query () at all, and all queries that use at least one variable are executed only in this way
You can read more on the Internet.
3. When displaying user data in HTML, use the htmlspecialchars() function. I hope by this point you have already understood the main idea - it is important not where the data came from, but where. Go to html? Great, let's format them for html.
@inkShio
result
F
FanatPHP, 2019-10-20 @Gish
How does PHP POST & GET filtering look and work?
I understand that this statement does not fit the head of a person who studied PHP in video courses, but this is a fact.
By themselves, HTTP POST & GET requests do not carry any threat and somehow they do not need to be filtered in advance.
In general, it is necessary to filter not according to the principle "from where", but according to the principle " where to ".
Data needs to be formatted based on where it goes, not where it came from. The SQL query is absolutely purple, where did the quote in the data come from - from a GET, a file on disk, or from another database. Data for SQL must be formatted correctly, not because they came from GET, but because they go to SQL.
(At the same time, one must also understand that a SQL query and a database are not the same thing. The database also doesn’t care what it contains. We do any formatting only for the SQL query, and the database should again be as it is).
If everyone thought like you, then you would not be able to ask your question on the Toaster. Because without quotes and tags, it would turn into nonsense. As well as a bunch of other questions.
Of course, "garbage" should not be deleted, but formatted. Because this is "garbage" only for SQL, and for a person this is the necessary information that helps to read the text.
No, of course not.
Using regular expressions would be as stupid as your function.
In order to place a variable in an SQL query, you must use substitutions in prepared expressions. Remember this offer. It is the most important thing you have learned so far about PHP. Remember well, you should know this better than the names of mom and dad. And never deviate from this rule. It doesn't matter whether you need protection against SQL injection or not, whether the data came from POST, or the Lord God dictated it to you on Mount Sinai - all the same, always and everywhere only through substitutions.
So.
1. You throw out your function in the trash. The only word that makes any sense there is trim(). Well, you can call it directly.
2. Judging by the level of the code and the question, you use poor mysqli to work with the database. Therefore, forget about mysqli_query () at all, and all queries that use at least one variable are executed only in this way
$stmt = $conn->prepare("INSERT INTO tablitsa (login_name,email) VALUES (?,?)");
$stmt->bind_param("ss", $login, $email);
$stmt->execute();You can read more on the Internet.
3. When displaying user data in HTML, use the htmlspecialchars() function. I hope by this point you have already understood the main idea - it is important not where the data came from, but where. Go to html? Great, let's format them for html.
I
inkShio, 2019-10-20 @inkShio
trim - This function returns the string str with spaces removed from the beginning and end of the string.
stripslashes - Removes character escaping.
htmlspecialchars — Convert special characters to HTML entities
<?php
function formatstr($str)
{
$str = trim($str);
$str = stripslashes($str);
$str = htmlspecialchars($str);
return $str;
};
$login_name = formatstr('test');
print_r($login_name);
$login_name2 = formatstr('<p>test</p>');
print_r($login_name2);
$login_name3 = formatstr('<p class="test">test</p>');
print_r($login_name3);
?>result
test
<p>test</p>
<p class="test">test</p>
Similar questions
A
S
T
H
O
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question