in the include file
db.inc makes user input secure. The function is
shown in Example 11-3, and it takes two parameters:
$input and the maximum length
$maxlength that is expected. It returns the clean
clean( ) function uses the PHP library string
reduce the length of the
$input to its desired
maximum. It then uses the PHP library function
to insert backslash characters before selected characters—such
as semicolons, backslashes, greater-thans, and less-thans—so
that their special meanings in Unix shells are nullified or
escaped. These two steps are usually sufficient
to ensure that users cannot maliciously add extra clauses to SQL
queries and cannot manipulate other MySQL library functions.
Never trust user input or network data.
You should preprocess all user data by escaping special shell
characters and ensuring that the data does not exceed a maximum
length. A function such as
clean( ) in our
db.inc include file is useful for this task.
The automatic initialization of variables by the PHP engine also
presents a minor security risk. The engine initializes variables in a
certain order (defined in PHP’s configuration file
), which presents the possibility that a
variable can be initialized twice, with the second value overwriting
the first. For example, by default, the
PATH environment variable, which tells the PHP engine where to look for programs, is one of ...