I am using $_GET, $_POST and $_COOKIE variables in method calls, SQL queries and file calls – and it is necessary to escape / rewrite this user-data for better security (avoid injection attacks and the like). How would you recommend this is done?
Some ideas from built-in escape function … to get the juices flowing:
- Add backslashes to:
\x00, \n, \r, \, ', "and\x1ato make the string safe for SQL queries – as in mysql_real_escape_string(). - Limit the number of accepted characters to
[a-zA-Z0-9 _-\.](where “\.” is an escaped “.”-dot).
Your inputs are appreciated. Thanks.
As escaping depends on the system you are sending the data too, my suggestion would be to use the functions provided by PHP, specifically created for each system.
For instance :
mysql_real_escape_string, ormysqli_real_escape_string, orPDO::quotehtmlspecialcharsor htmlentities.Either way : don’t re-invent the wheel !
There are escaping functions/methods that already exists for many kind of output : use those !