Get thee some sanitizer
It’s always good to sanitize. I remember back to my days of working at Burger King - when I was unlucky enough to pull dishwashing duty, you would wash the dishes with soap, rinse them and then sanitize them before putting them away. You want to make sure nothing funky was left over.
Same goes for PHP code, except in reverse. Imagine your web application is the dishwashing station at Burger King. We want to wash, rinse and sanitize any dishes we get, but in this case we’re talking about any inputs we get from a user. In the case of our web app, we want to make sure we sanitize that input before we go and wash, rinse, query, insert and update our data. We certainly don’t want to process compromised inputs, and we certainly do not want to write and store that code in our databases.
I was reviewing some code written by one of our students and saw this:
$catid = $_GET['cat'];
$select = mysql_query(”SELECT * FROM categories WHERE id = “.$catid);
Friends, that’s bad. That’s a SQL injection waiting to happen. It looks innocent enough - we’re taking in whatever input string included in the variable $_GET['cat'] and then querying our database in the next line. It would be very easy for someone to try something nefarious (and trust me, they will and do, often).
If you enjoyed this post, make sure you subscribe to my RSS feed!
