Sounds like you might need something like a SQL version of HTML::Scrubber.
The more important thing is to use prepared statements with placeholders, so
that you can't get server execution injected on. Then worry about javacript
or html scrubbing.
--
Joe Atzberger
LibLime - Open Source Library Solutions
On Fri, Jun 5, 2009 at 10:30 AM, Kenneth R. Irwin <[log in to unmask]>wrote:
> Hi folks,
>
> Can someone point me to some good information/how-to-guide/etc for
> sanitizing files uploaded to a MySQL database through a web interface? (This
> would be something much like the "Insert data from a textfile into table"
> function in phpMyAdmin.) I want to make sure there aren't any nasty queries
> inserted into the tab-delimited data.
>
> I.e., don't let this happen to you: http://xkcd.com/327/
>
> Is this whole-file sanitization any different than the sort of thing you
> might use for individual pieces of data? E.g.
> http://www.denhamcoote.com/php-howto-sanitize-database-inputs
>
> Any advice would be appreciated.
>
> Thanks!
> Ken
>
|