Untainting User Data
When you make scripts accessible from the Web, they are vulnerable to security problems caused by deliberate or accidental abuse from users all over the world. When your scripts process input provided by users, you must be even more vigilant and validate the data to ensure that it is in the format and size your scripts expect and must handle. Let’s look at three issues.
Limiting the Size and Type of Input Data
Many problems are caused by the system encountering data that it can’t handle; for example, a user may try to log in to the system with a login name that is longer than the database can handle, resulting in unexpected behavior. An attacker may try to overload your script with more data than it can handle and in this way cause something to break. You should limit the amount of data that you accept and process. There are server variables that you can configure to do this, but we won’t look at those. Instead, we’ll look at how your script can reject excess data.
The PHP substr()
function returns a specified
portion of a string. You can limit the data passed from a form using
this function; for example, you can choose to use just the first 15
characters:
// Reduce the length of the artist name to at most 15 characters $_GET["artist"] = substr($_GET["artist"], 0, 15);
The 0
indicates that the returned substring
should start from the initial character (character 0), and the
15
specifies the maximum number
of characters to be returned.
Before processing input data, ...
Get Learning MySQL now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.