Security!

[chaoswar4u]

Hi. Just looking for info on this just to make sure im thinking correctly on this.

If say there is a code that requires to be limited to just a number entry you would place abs(int)) for example to do so. However would there be any reason for such to have strip tags or in what senorio would you need to use strip tags.

Many thx in advance.

[Spudinski]

Re: Security!

 

This function tries to return a string with all HTML and PHP tags stripped from a given str . It uses the same tag stripping state machine as the fgetss() function.

The most probable scenario would be to prevent XSS attacks.

Reference: http://php.net/strip_tags

[Floydian]

Re: Security!

I'm not sure when you'd want to strip php tags. I've never had an instance where user submitted content would be placed in a context that would allow it to become executable. That would just be horrible technique.

I can see needing to strip php tags if your code were being put through eval() lol.

But here's a direct quote from the guy that invented PHP:

Rasmus Lerdorf: "If eval() is the answer, you're almost certainly asking the wrong question."

That's the man right there. If Bill Gates told you you were using windows wrong, I think those words would/should carry a little bit of weight to them ;)

 

Now I get to the subject of XSS attacks. Those are based on html and javascript tags. It's common to take text from a user and display it on a screen for others to see.

In this scenario, you should use htmlentities() to convert html and javascript tags into html entities.

Of course there's also database injection that you have to be concerned about. So before putting the string into a db, us mysql_real_escape_string(). This can and most likely should be used in combination with htmlentities().

[Zeggy]

Re: Security!

If you only want a number value, you can simply use intval(). If it's got letters or tags or symbols, the value will be converted to 0, so no need to worry about injections.

[Floydian]

Re: Security!

$something = (int) $user_input;

is basically the same as

$something = intval($user_input);

However the TC mentioned using abs();

Which just using inval() doesn't accomplish the same thing abs((int) $user_input); or abs(intval($user_input); does.

;)

abs takes out any negative values.

Personally, I prefer to use an if statement. If something is less than 0, tell the user this input was invalid.

I know some people like to code their code to punish folks that try to cheat the game, but that also will punish folks that accidentally put in a negative. And it's not very professional to have a script do something unexpected.

 

for instance, if you are withdrawing -100 from your bank, you don't expect it to withdraw 100, you expect it to simply not allow it.

And it I'd also expect an error message to accompany that as well. But if it simply withdraws 100, then I'd see it as a bit unprofessional. Does your bank do that? Would pay pal do that? Nope, and neither should you. ;)

[a_bertrand]

Re: Security!

for those REALLY lazy (like me):

$v=$_GET["myval"]+0;

is equivalent to

$v=intval($_GET["myval"]);

more or less... the only thing is that it keeps even floating points numbers.