[Solved] PHP coding standards for user entered data [closed]

Question

You should generally try to ‘escape’ all special characters when dealing with user supplied input.

If you find certain characters are causing havoc with your system then you can remove them like so:

<?php

$BadChars = array(
"'",    // Single quote - can harm SQL queries
"%",    // Percent sign - can harm SQL queries
"<",    // Less Than - can be used for XSS
">",    // Greater Then - can be used for XSS
";",    // Semicolon - can harm SQL queries
"£" 
);    

// $Input = $_GET['Name'];

$Input = "HELLO'%<;TEST";

foreach ( $BadChars as $Char )
{
    $Input = str_replace($Char, "", $Input);
}

print "Filtered Input: $Input";

?>

You can also escape data before it goes into a database using existing functions such as http://php.net/manual/en/function.mysql-real-escape-string.php

Accepted Answer

You should generally try to ‘escape’ all special characters when dealing with user supplied input.

If you find certain characters are causing havoc with your system then you can remove them like so:

<?php

$BadChars = array(
"'",    // Single quote - can harm SQL queries
"%",    // Percent sign - can harm SQL queries
"<",    // Less Than - can be used for XSS
">",    // Greater Then - can be used for XSS
";",    // Semicolon - can harm SQL queries
"£" 
);    

// $Input = $_GET['Name'];

$Input = "HELLO'%<;TEST";

foreach ( $BadChars as $Char )
{
    $Input = str_replace($Char, "", $Input);
}

print "Filtered Input: $Input";

?>

You can also escape data before it goes into a database using existing functions such as http://php.net/manual/en/function.mysql-real-escape-string.php