Which characters do I need to escape on user input to a flatfile database? I already have explicit testing against type, but am aware that code could be injected into the database or used to alter the queries.
So which characters must I escape before I store the user input?
Other security suggestions are welcome as I may have missed something.
After reading comments this is my function:
private function cleanInput($input) {
switch($this->_config->delimiter()) {
case '\"';
case '"';
case '\\';
case '\0';
break;
default;
$input = addslashes($input);
}
$output = preg_quote($input, $this->_config->delimiter());
return $output;
}
What you need to escape depends on what you’re doing with the data. If you just dump data into a flatfile in this format:
Then obviously the
,and newline character are significant characters in your storage format. Therefore you’ll need to escape any,or newline characters in the values themselves.There is also the question of how you’re inserting the data. If you just dump it using
fwrite($fh, $data), there’s nothing to escape. If you’re using some SQL like frontend for your flatfile backend, you need to escape any values you may be concatenating into the SQL query to keep the SQL syntax valid.Escaping data is only necessary when you embed text strings in other strings, there are some characters that have a special meaning and you don’t want these special characters in the value strings to trigger any special action. In that case you need to escape any characters which may have a special meaning.