Incoming data validation is “must have”. Always be aware, that user will send you corrupted (or wrong) data. Sometimes by mistake, sometimes on purpose.
SQL injection and XSS (Cross-site scripting) are possible due to lack of data verification.
What should I validate?
E-v-e-r-y-t-h-i-n-g. Every piece of incoming data.
What can we lose?
Data. Logins, passwords and other stuff.In commercial products that could be a disaster.
Let’s mess things up!
Inject h1 tag and some content:
</pre> <h1>Injected content</h1> <pre>
<pre> <div style="text-decoration: underline;"> message </div> <script>alert('tadam!')</script> </pre>
Why we need stripslashes?
We protect ourself by adding slashes – but before we show output to user – we should remove them.
Buuu – inconvenient!
You think so? Yeah – you’re right. It is a lil bit inconvienient, but do not worry, there is another option. If you use Mysql database, you can use mysql_real_escape_string. It detects dangerous stuff and “add and strip” slashes without our help.
But, what about HTML?
Hmm but what about situation when we would like to show a html code as a text? Using previous methods – we would remove all html from content. There is one method that should help use – htmlspecialchars . It will change “living” HTML into its entity equal (but safe) version, so you can display it and it will not be interpreted.
I’ve tried to show the “basics of basics” of data validation. Read, test, read, test and never feel safe :)