<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">All,<div><span class="Apple-tab-span" style="white-space:pre"> </span>As I am closely perusing essentially the entire website during the migration to SVN I've noticed some troubling practices regarding SQL. This involves neither cleansing inputs or outputs to/from the database. Failure to do so can result in SQL injection and cross-site scripting (XSS). While the latter is undesirable , the former can potentially expose us to intentional and/or accidental loss of data integrity.</div><div><br></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>The solution to this is to cleanse all inputs <b>before</b> inserting into a database or echoing values to a user. Since any reads done <i>from</i> the database should now be reading cleansed input, you can safely echo this directly to the user, however if echoing user-input directly from a form, you should certainly make sure to cleanse it before doing so.</div><div><br></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>Cleansing input can be done in a variety of ways...</div><div><br></div><div>... for MySQL integers use the PHP function "intval"</div><div>... for MySQL decimals use the PHP function "floatval"</div><div>... for MySQL strings use the PHP function "mysql_real_escape_string"</div><div>... for content to be echoed to the user (in a browser) use the PHP function "htmlspecialchars"</div><div><br></div><div>There are a variety of other functions that may also be useful. Read the PHP documentation for more information. You can check out this following example page I created that highlights these vulnerabilities in an interactive fashion at:</div><div><br></div><div><span class="Apple-tab-span" style="white-space:pre"> </span><a href="http://ehpd-earthquake.cr.usgs.gov/unsafe.php">http://ehpd-earthquake.cr.usgs.gov/unsafe.php</a><br></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>(This isn't an awesome page, but just something I threw together quickly as an example.)<br></div><div><br></div><div>Moral of the story? Be careful when working with users. Cleanse your inputs.</div><div><br></div><div apple-content-edited="true"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>Thanks,</div><div><span class="Apple-tab-span" style="white-space: pre; "> </span>~Eric.<br></div><div><br></div><br></div></span><br class="Apple-interchange-newline"> </div><br></body></html>