Security

Sanitising User Input

Some days you need to get user input from a bit of an HTML form that wasn’t really designed for it, in order to get a great UX.

This means that the input get’s passed around through JS, AJAX, PHP and goodness only knows what before it turns up in the right place.

How do we make sure it’s safe to add to a SQL query?

Of course we can use PDO, but how about the general case?

$Words=str_replace(“\xA0″,” “, mysqli_real_escape_string($link,html_entity_decode(strip_tags(preg_replace(‘!\s+!’, ‘ ‘,trim($Words))))); $pieces=explode(” “, strip_tags($Words)));

Something just says this is plain wrong, but it’s working for me.

In this particular use case I’m trying to break up a user provided “sentence” into a set of words, which I then do stuff with.
So is particularly difficult to parse here when things get pasted.

I’m sure the above approach is wrong, would anyone like to tell me how to do it better?

Leave a Reply