We use cookies to improve your experience. No personal information is gathered and we don't serve ads. Cookies Policy.

ExpressionEngine
Log In Sign Up

Is this xss, sql injection, buffer overflow safe?

Development and Programming

funnEE's avatar
funnEE
94 posts
14 years ago
funnEE's avatar funnEE

I am currently using the following php code to protect against xss and sql injections. dbh is the connection to the db.

// Delete Hexadecimal Characters
function cleanHex($input)
{
    $clean = preg_replace("![\][xX]([A-Fa-f0-9]{1,3})!", "",$input);
    return $clean;
}

$var1 = strip_tags($_POST["id"]);
$var1 = substr($var1,0,7);
$var1 = cleanHex($var1);
$var1 = $this->EE->security->xss_clean($var1);

$insert-var1 = $dbh->prepare("INSERT INTO table-name (pid) VALUES (:pid)");
$insert-var1->bindParam(':pid', $var1);
$insert-var1->execute();

echo var1;

Is this secure enough? am I being redundant? What recommendations do you have besides adding a token for form spoofing? Is there a better way at going at this? Thanks, Dave

       

Reply

Sign In To Reply

ExpressionEngine Home Features Pro Contact Version Support
Learn Docs University Forums
Resources Support Add-Ons Partners Blog
Privacy Terms Trademark Use License

Packet Tide owns and develops ExpressionEngine. © Packet Tide, All Rights Reserved.