PHP Security? (Standard Sanatise Code)

[justlukeyou]

I am currently working on my PHP/MySQL driven website.  However, I have read in recent weeks that there are a number of security measures which need to be taken and one of them is sanitising input to prevent html/MySQL injection into a database.  So I was wondering if there is an 'industry standard' for sanitising PHP.  For example, if a website only want there database to be searched by letters or numbers do they use a specific code?  I have found one based on numbers (for ID numbers) but I cant find on one based on letters.

 

I found this but it is quite complicated and looks very different to the guide I found on YouTube.  so is there an industry standard which blocks people using any other code than numbers or letters?

 

http://bobby-tables.com/php.html

 

I was also wondering is there are anyother security measures I need to be aware of when using PHP?

[Veteah]

There's not really a standard, but it would be worth your time reading up on sql injection attacks, as well as things like mysql_real_escape_string, magic_quotes, add_slashes and regex used in preg_*.

[RestlessThoughts]

There's lots of different ways to sanitize user input.

 

For your specific examples, look at the ctype functions to check if the user enters the correct data. For example, ctype_alpha will return false with anything but letters, while ctype_alnum lets you use letters and numbers (and not things like symbols).

For numbers, is_numeric would be a good test, or you could simply type cast it as an (int).

 

ctype_alpha

ctype_alnum

is_numeric

Integer type casting

[freelance84]

This tutorial helped me

 

http://www.phpfreaks.com/tutorial/php-security

[cssfreakie]

also don't forget, that ones you output the data from your database to the screen use something like htmlspecialchars

or htmlentities