StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
primarykey
Id
2402576
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
2
CommunityOwnedDate
CreationDate
2010-03-08T15:53:46.027
FavoriteCount
0
LastActivityDate
2010-03-09T13:06:06.460
LastEditDate
2017-05-23T11:47:22.653
LastEditorUserId
-1
OwnerUserId
187606
ParentId
2401706
PostTypeId
2
Score
19
ViewCount
0
LastEditorDisplayName
text
Body
I used to be a friend of centralizing sanitation as much as possible, but extensive discussion on SO (<a href="https://stackoverflow.com/questions/1809843/why-is-filter-input-incomplete">for example here</a>) has changed my mind. Definitely worth a read. I submit to you the following practice: In a central validation routine, do no sanitation, or just "rough" checks (say, for data type) and size ("$_POST["category_name"] should not be larger than 200 bytes.") Mark incoming variables as unsafe (e.g. <code>$unsafe_id = $_POST["category_name"];</code>). Store them in whatever controller / class / construct you have available for it. Sanitize data where it is used. If incoming data is used in a <code>exec</code> call for example, do the necessary sanitation directly in front of the call: <pre><code> $safe_category_name = escapeshellargs($unsafe_category_name); exec("external_binary -category_name '$safe_category_name'"); </code></pre> if the same data is then used in a, say, mySQL query, again sanitize it in front of the call: <pre><code> $safe_category_name = mysql_real_escape_string ($unsafe_category_name); mysql_query("SELECT * FROM items WHERE category_name = '$safe_category_name'"); </code></pre> (this is just an example. If starting a project from scratch, you will want to use PDO and prepared statements, which takes away the hassle of escaping incoming data in this context.) if the same data is then output in a web page, again do the sanitation directly in front of the call: <pre><code>$safe_category_name = htmlspecialchars($unsafe_category_name); echo "$safe_category_name"; </code></pre> This practice <ul> <li>Establishes a workflow that assumes there are unsafe variables that need to be dealt with first, which leads to a safer programming style IMO. </li> <li>Prevents unnecessary conversions.</li> <li>Helps fight the illusion that there is a one-click method to make input "safe." There isn't. Sanitation depends 100% on context.</li> </ul>
Tags
Title
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. POWhere to sanitize PHP $_POST[] input?
 singulars
 PostTypePostTypeId
 PTQuestion
PostTypePostTypeId
1. PTAnswer
UserLastEditorUserId
1. USCommunity
UserOwnerUserId
1. USPekka 웃
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. POWhere to sanitize PHP $_POST[] input?
 singulars
 PostTypePostTypeId
 PTQuestion
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
3. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. COEven easier, if it's an ID in vanilla PHP you can just use $id = (int) $_POST['id'] to make it safe.
 singulars
 PostPostId
 PO
 UserUserId
 USPhil Sturgeon
2. CO@Phil the `$id` was meant to be an example of arbitrary string data. I changed the variable, as id is usually numeric, you're right. Cheers.
 singulars
 PostPostId
 PO
 UserUserId
 USPekka 웃

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.