Hello, if the PHP script is connected to mysql, i would use: $variable = mysql_real_escape_string($_GET["email"]); and if its plain script, without relation to any mysql, how i would secure that variable that comes from submitted URL: http://domain.com/script.php?email=a@b.tld Code (markup): ? thank you Update: I found these 2 posts quite helpfull: http://stackoverflow.com/questions/...-sanitizing-user-input-with-php/129767#129767 http://stackoverflow.com/questions/...hp-input-sanitizing-functions/3126175#3126175
Did you mean email validation as documented here at http://php.net/manual/en/filter.examples.validation.php ?
There's no silver-bullet for input sanitation. It depends largely on the context of the app, and what you're doing with the user input. Take a look at PHP's input filters, they're a good start. http://php.net/manual/en/function.filter-input.php Bear in mind, no input can be trusted just because it went through some "magical PHP functions" that appear to sanitise it. It's up to you to know what these filters clean, and if after applying them, the variable is safe for the given context. Furthermore, mysql_real_escape_string() makes input safe for inserting it into a database. However, that does not mean I can't save Javascript or HTML into it, that would be perfectly valid if displayed at some later stage.
Not to mention that using mysql_ is really not recommended. It's deprecated, insecure, horrible and should be avoided at all cost. Go with either mysqli_ or PDO (preferred) and use prepared queries - doesn't matter what people try to pass on, the preparation will quench any attempt before it gets input. BTW - your question doesn't really make any sense - if you're not accessing the database, it doesn't matter what people put in the URL - if you are, as you say, you're using mysql_real_escape_string() - I'm not really sure what you're afraid of? Not to mention that if you're worried about these things (which of course, you should be (sorta)), then you've probably designed the app the wrong way. NEVER trust anything a user inputs - it be in an URL or any other form of user-input. Always filter and sanitize.
Please how should i "sanitize" that $variable so you cant do what you say? any example? i think this can be good (in some cases) $variable = strip_tags($variable) $variable = htmlspecialchars($variable) $variable = mysql_real_escape_string($variable) it needs more study about these php functions maybe
There are some examples on the page I gave you earlier. And more here: http://php.net/manual/en/filter.filters.sanitize.php But it ultimately depends on what you're doing with the variable. And on what you want to allow and what not. Ergo "no silver-bullet". Asking "how can I sanitise a variable" might yield a response for a few use-cases, but not necessarily your's. With the context I'm given, I would suggest FILTER_SANITIZE_SPECIAL_CHARS or htmlspecialchars(): http://us1.php.net/manual/en/function.htmlspecialchars.php But that might not be enough.
strip_tags() removes HTML tags. Nothing else. It doesn't protect you from things like these: <input value="<?php echo strip_tags($_GET['value']); ?>" /> PHP: ... why? Because if I submit data like this: page.php?value=" onfocus="alert('nope');" b=" Code (markup): It'll turn into this: <input value="" onfocus="alert('nope');" b="" /> HTML: ... not good. htmlspecialchars() would be good in this scenario, but consider this: // javascript var foo = '<?php echo htmlspecialchars($_GET['value']); ?>'; ... Code (markup): And I submit: page.php?value='; alert('nope'); // Code (markup): It'll turn into this: var foo = ''; alert('nope'); // Code (markup): ... also not good. (Unless I specify the second argument and set it to ENT_QUOTES). And mysql_real_escape_string() simply isn't of any use, unless you want to insert a variable into a query string. Don't use this anywhere else. And take a look at @PoPSiCLe's post. Don't use mysql_* functions to begin with. The easiest input to sanitise is numbers. $integer = (int) $_GET['value']; $float = (float) $_GET['value']; PHP: As you can see, context matters. So be careful and read what these functions do exactly before putting them randomly into your code. This only covers the basics, there's a lot more... And on a last note, sanitise all input that comes from the user. That includes, cookies, POST, GET, $_FILES (especially $_FILES['type']), $_SERVER['HTTP_*'] variables, $_SERVER['PHP_SELF'], radio buttons, checkboxes, <select>s, etc...
you need to set if (isset($_POST["submit"])) Code (markup): and script will not execute until you dont hit submit