O'Reilly logo

Learning MySQL by Hugh E. Williams, Seyed M.M. Tahaghoghi

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Untainting User Data

When you make scripts accessible from the Web, they are vulnerable to security problems caused by deliberate or accidental abuse from users all over the world. When your scripts process input provided by users, you must be even more vigilant and validate the data to ensure that it is in the format and size your scripts expect and must handle. Let’s look at three issues.

Limiting the Size and Type of Input Data

Many problems are caused by the system encountering data that it can’t handle; for example, a user may try to log in to the system with a login name that is longer than the database can handle, resulting in unexpected behavior. An attacker may try to overload your script with more data than it can handle and in this way cause something to break. You should limit the amount of data that you accept and process. There are server variables that you can configure to do this, but we won’t look at those. Instead, we’ll look at how your script can reject excess data.

The PHP substr() function returns a specified portion of a string. You can limit the data passed from a form using this function; for example, you can choose to use just the first 15 characters:

// Reduce the length of the artist name to at most 15 characters
$_GET["artist"] = substr($_GET["artist"], 0, 15);

The 0 indicates that the returned substring should start from the initial character (character 0), and the 15 specifies the maximum number of characters to be returned.

Before processing input data, ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required