Last Updated on: Monday, March 23, 2009 1:49 AM

Sanitize filters

When protecting your data inside your database there are several measures you can take. One of them is in the way we structure our code with the following example.

$stmt = mysqli_stmt_init($connection_object); $sql = "UPDATE employees SET emp_fname=?, emp_lname=?, emp_dept=?, emp_wphone=?, emp_email=?, emp_password=?, emp_hareacode=?, emp_hphone=?, emp_cphone=?, emp_level=? WHERE emp_id=?"; if(mysqli_stmt_prepare($stmt, $sql)){ mysqli_stmt_bind_param($stmt, "sssssssssii", $firstname, $lastname, $dept, $workphone, $email, $password, $areacode, $homephone, $workcell, $emp_level, $emp_id); mysqli_stmt_execute($stmt); mysqli_stmt_close($stmt); }

These steps only perform the mysql function that was prepared using the $sql variable. This helps us protect ourselves from harmful attacks from inserted functions in input boxes.

Another way is using PHP or JavaScript to do validation on the data entered. This can be done in many ways depending on the data you want and the data you want to exclude. Here is an example of this in PHP from one of our scripts in class:

if(strlen($_POST['txt_cellphone']) != 4) { $error['workcell'] = 'Your work cell number must be 4 numbers.'; }

In this example the length is limited to only 4 characters; no more, no less. Limiting how much can be inputted can also stop injection attacks.

The third way to protect your data is through sanitize filters. These are built in functions to help filter out things you do not want in your inputs

Here is a link to a table with a list of sanitize filters. Each of these filters takes out and only allows certain information to pass through before being written to the database. This can help take out characters that would be used in an insert attack.