Name: MySQL - PHP で変数をサニタイズする (filter_var) (MySQL - Sanitize Variables with PHP (filter_var))
Uploaded: 2021-01-14T10:11:45.000Z
Duration: 23 min 42 s
Description: VoiceTubeの動画で発音を聞きながら英語表現を覚えよう！学べる英語：

creating these classes requires equipment and service.

If you appreciate this education, please think about going to Eli the computer guy dot com and offering a one time or monthly recurring donation.

As you know, I am Eli the computer guy, and in today's class, I'm going to be showing you how to sanitize your variables when you're sending data from your PHP scripts to you're my sequel.

So again, we're going to be using an HTML form.

That HTML form is going to be handing off the variable values to a PHP script that PhD script is going to then parts.

The values turned them into PHP variables.

Plug that into a sequel statement and ship that off to the my sequel database server to insert insert records into that.

Understand, whenever you're dealing with security and the computer around is that you're going to have to deal with security from multiple fronts too many times when people think about security again, when it comes to technology, they have this idea of like one product or one solution secures your system, which is just foolish again for dealing with a computer or dealing with a server.

You do not simply install anti virus in your system is sick.

You're one thing does not secure the system.

If it's ah, client computer, you probably want some anti spam or anti malware anti spyware software on there you need to have the firewall on.

You need to have the account policies set up properly.

Plus, you just need a backup system in case something stupid happens, right?

You have multiple ways to secure either your client system for your server system.

You don't just use one product the same mystery whenever you're dealing with things like my sequel database servers again, like a lot of people, hyper focus on one specific attack in order to secure their server, and they ignore the other ways that their systems could be attacked.

And, of course, at the end of the day, when something happens, they always say, I did what I was supposed to do.

What anyone s 01 of things we did in the last classes.

We did something called a prepared statement, so prepared statement tries to prevent what Ercole sequel injection attacks.

So the idea with a sequel injection attack is that you try to escape out of the statement that PHP is sending to your my sequel server and then essentially add your own sequel statement.

So there's an or there's a statement that supposed to be sent.

You try to do something to escape out of that statement and your own statement, and then you hope into my civil database server, then read your statement and actually execute that.

So this could be a something such as deleting a table.

This could be something like adding a record to a table.

Or this could be something such as backing up the tables or database to an off site location, going off some backup.

I'm just, you know, off citing it to someplace these people don't know exist.

But one of things everything about with injection attacks is beyond an injection attack again.

Where you're doing something a sequel injection or to try to manipulate the server is that you can have your users also trying to insert things, suck as tags or such as other types of code that will be triggered in different ways.

Eso one of things that I'm going to show you today is basically where we're going to use the same form we've used, like 10 times.

It's an egg, It's a gender, and that goes into the students table.

One of things that I'm going to show you how to do is instead of typing out a normal names like his Bob or whatever else what I'm going to actually do is I'm gonna type in a hyper link with Bomb as the name's type out the entire a ref tag.

Plug that into the normal HTML form that will then get plugged into the my sequel database servers table.

And then when we do a select statement, basically we print that out onto our Web browser screen.

You'll see that there's one particular record where the name is that will actually now be a hyper link that you can click on it right on.

So this is one of the problems you can run into, and this is where we have to think about security from all aspects of your system.

So if you have users that are going to your site and somebody does something suckers plug in a.

Oh, a hyperlink were simply a name should be.

You then may have your users quick enough hyperlink that goes to a spam site or virus site or something like that.

And then you start causing all kinds of problems.

What we're going to do today is we're going to be.

Then it's sanitizing what is called a sanitizing that variable.

So we're going to use a function called filter Underscore Bar.

So what this function does, is it actually sanitizes variables?

You do parentheses, you then give the variable that you want to sanitize you, then do comma, and then you give it what filter you want to basically filter.

Sanitize that variable based on so they have a filter for strings.

Actually, I'm like 20 different filters, and again, this is one of those things to be thinking about is not like you.

Just do one filter against the variables.

It depends on what what type of variable you're supposed to be using.

So if it's supposed to be an email address that somebody is submitting that you could do the filter underscore bar, dollar sign, email, whatever is comma, the whatever the filter is for the email address.

And then basically, what we do is what filter will do is it'll rip out everything that isn't supposed to be in an email address.

What I'll show you today, using the string filter is basically again.

I will plug in that a ref into the form will actually see how that works is an attack.

But then, after that, I will add this filter to our normal PHP code.

And what will happen is that this filter will go through and it'll actually rip out.

All the HTML tags on will simply leave the text that is supposed to be here.

So this is what we're talking about when we're talking about sanitizing variables, and that's why it's important when you're dealing with again.

HTML forms PHP inserting or updating into my sequel a database tables.

There's no riel warning warning for today it's Maur.

This is the type of thing that you are going to have to play with.

You being a tech professional is supposed to play an experiment and see what happens.

I can't believe the advice you give sometimes, Eli, but that's related case again.

When you're going through when you're trying to sanitize the variables with the particular function that I'm showing you today filter underscore bar.

So what I would suggest is you just you create some really nasty variables and then you you play and you go out and see what the results are When you send that nasty variable through these different filters and you figure out what result works best for you, I will also say again when you're talking about doing things like a sanitizing your variable that there are other functions you can use to sanitize variables how you d'oh.

Uh, the sanity ization of your variables really depends on what results you need.

And that that's one of those things you can run into or it's not.

It's not that there is one way to solve any problem.

Do make sure you play with this on test systems.

You're not really sure what you're doing?

You could host something up really quickly, but that's really all the warning is today is Go play with this.

Try a lot of different experimentations, see what happens, and then you go from there.

So with that, let's go to the computer and I'll show you how this works.

So here we are, back in my lab environment again.

But realistically, any version of a bunch of desktop should work fine for you.

I have this right in a virtual machine and virtual box.

字幕リスト動画再生

MySQL - PHP で変数をサニタイズする (filter_var) (MySQL - Sanitize Variables with PHP (filter_var))

nasty

multiple

compromise

basically