Forums

ChronoForms v8 is now WordPress ready, ChronoMails is out

The JED needs volunteers!

Input Sanitation

ChronoForms v5
Ga
Gatsman 18 May, 2017
Hello i am following this FAQ about input sanitize but I need some help.
I have a form that will write into the database (custom code). I don’t care about required fields but what I care about is sanitize the data from malicious code SQL injection and so on. Also users should not be allowed to enter html.

Up to now I have created a custom code in the On Submit where i placed the Advanced Filtering code from the FAQ and a debugger.
After submit I can check that if i write test’ in the first input field it will be changed to test' so I guess it works correctly, now do I need to do anything else in my case?

I know input sanitation is a huge subject what I mean is if I need to do anything else in relation to the FAQ in my case or am I covered.
Gr
GreyHead 18 May, 2017
Hi Gatsman,

I have no answer to the question except to suggest that you test the form.

Bob
Max_admin
Max_admin 18 May, 2017
Hi,

The data is escaped before being saved, so you should not modify the data before its saved.

But if you are going to display the data back on a web page then it should be properly cleaned before that point, try the htmlspecialchars function.

Best regards,
Max
Max, ChronoForms developer
ChronoMyAdmin: Database administration within Joomla, no phpMyAdmin needed.
ChronoMails simplifies Joomla email: newsletters, logging, and custom templates.
Ga
Gatsman 18 May, 2017
I am now a little more confused… 🤣

I have no answer to the question except to suggest that you test the form.


Problem is Bob I don’t know how to correctly test the inputs, all I know is that if I write it will give a SQL error without the Advanced Filter code and won't when i use that code.

The data is escaped before being saved, so you should not modify the data before its saved.


Max, I said that I save to the database with custom code and not with the Chronoform DB Save.
Are data still escaped before being saved?
So I should not use the Advanced Filter code from the FAQ before every other action in the On Submit? I should not use it at all?
Max_admin
Max_admin 18 May, 2017
Hi Gatsman,

When you save the data, you should escape the values, php has functions for this, and Joomla db class has a function for this too.

But if you sanitize the data, you modify it, it depends on your app if saving a modified version is good or not, but its always necessary to pay attention when displaying the data back.

Best regards,
Max
Max, ChronoForms developer
ChronoMyAdmin: Database administration within Joomla, no phpMyAdmin needed.
ChronoMails simplifies Joomla email: newsletters, logging, and custom templates.
Gr
GreyHead 19 May, 2017
Hi Gatsman,

There are two different - though linked - things in this thread.

Escaping before saving is about checking that there are no characters that might break the MySQL query that is being generated - e.g. a quote in a text string. See the MySQL manual here

Sanitising is about checking the submitted data for unwanted and possibly malicious content and either rejecting the submission; or stripping out; or re-coding the data into a safe format. Escaping is a form of re-coding, but if the content is potentially malicious then it's probably better to remove it completely.

There's a much fuller discussion here.

Bob
Ga
Gatsman 22 May, 2017
Thank you for the details Bob, i got some reading to do🙂
This topic is locked and no more replies can be posted.