Many websites use databases. And databases use special characters to do things, such as mark the ends of input. For example, a website might use PHP code to look in a table of registered users. If this code doesn’t include suitable protection, nasty people can do nasty things by including the special characters in their input. (See here for examples.)

Fortunately, PHP provides ways to sanitise input by replacing such nasty characters with harmless equivalents. Unfortunately, I can’t get them to work.

My first obstacle was that my test called a piece of javascript to assemble the student’s answers into a string of name-value pairs: answer00=students_answer&answer01=students_answer&…, then tack this onto the URL of the PHP script which handled these answers. The PHP script then used GET to pull the data from the augmented URL, decode this string into separate variables, one per answer. Removing nasty input in javascript looks fiendishly complex.

So I wanted to send the answers straight to the PHP code. My way around doing this was to make my test a form, and accept the ugliness thereof. The javascript piece could go (it was an echo of a technique used in the registration step to admonish when incomplete data was given), so long as I made the test POST its answers straight to the PHP code.

It should, then, have been straightforward to sanitise the input by adapting the examples given at php.net. Several hours of out-of-cheese errors later, I wimped out. Despite the sanitised versions looking exactly as they should (so “text’ became “text’), my answer-processing code choked every time. My approach became let’s assume my website will never be attacked, so the only character I have to worry about is ‘ because Klingon uses loads of them!

PHP provides a function that removes any set of characters from a ‘victim’ string – and the result is guaranteed to be a string. So subjecting each answer to removal of ‘ would suffice. Eventually I had code that did just this. (It’s unbelievable how many typos can be made in repeating $escapedq00 = str_replace ($search, $replace, $q00); 20 times, even when using copy and paste!

So I can now sanitise answers enough for this classroom exercise. I freely admit, both here and in my code, that it’s jsut not good enough for real life. But I can now move on to the rest of the MoSCoW list. Hurrah! No more out-of-cheese errors, and the webTribble is untroubled.