The ultimate clean/secure function

php security xss sql-injection
63,653

Solution 1

The idea of a generic sanitation function is a broken concept.

There is one right sanitation method for every purpose. Running them all indiscriminately on a string will often break it - escaping a piece of HTML code for a SQL query will break it for use in a web page, and vice versa. Sanitation should be applied right before using the data:

  • before running a database query. The right sanitation method depends on the library you use; they are listed in How can I prevent SQL injection in PHP?

  • htmlspecialchars() for safe HTML output

  • preg_quote() for use in a regular expression

  • escapeshellarg() / escapeshellcmd() for use in an external command

  • etc. etc.

Using a "one size fits all" sanitation function is like using five kinds of highly toxic insecticide on a plant that can by definition only contain one kind of bug - only to find out that your plants are infested by a sixth kind, on which none of the insecticides work.

Always use that one right method, ideally straight before passing the data to the function. Never mix methods unless you need to.

Solution 2

There is no point in simply passing the input through all these functions. All these functions have different meanings. Data doesn't get "cleaner" by calling more escape-functions.

If you want to store user input in MySQL you need to use only mysql_real_escape_string. It is then fully escaped to store safely in the database.

EDIT

Also note the problems that arise with using the other functions. If the client sends for instance a username to the server, and the username contains an ampersand (&), you don;t want to have called htmlentities before storing it in the database because then the username in the database will contain &.

Solution 3

You're looking for filter_input_array(). However, I suggest only using that for business-style validation/sanitisation and not SQL input filtering.

For protection against SQL injection, use parametrised queries with mysqli or PDO.

Solution 4

The problem is, something clean or secure for one use, won't be for another : cleaning for part of a path, for part of a mysql query, for html output (as html, or in javascript or in an input's value), for xml may require different things which contradicts.

But, some global things can be done. Try to use filter_input to get your user's input. And use prepared statements for your SQL queries.

Although, instead of a do-it-all function, you can create some class which manages your inputs. Something like that :

class inputManager{
  static function toHTML($field){
    $data = filter_input(INPUT_GET, $field, FILTER_SANITIZE_SPECIAL_CHARS);
    return $data;
  }
  static function toSQL($field, $dbType = 'mysql'){
    $data = filter_input(INPUT_GET, $field);
    if($dbType == 'mysql'){
      return mysql_real_escape_string($data);
    }
  }
}

With this kind of things, if you see any $_POST, $GET, $_REQUEST or $_COOKIE in your code, you know you have to change it. And if one day you have to change how you filter your inputs, just change the class you've made.

Solution 5

May I suggest to install "mod_security" if you're using apache and have full access to server?!
It did solve most of my problems. However don't rely in just one or two solutions, always write secure code ;)
UPDATE Found this PHP IDS (http://php-ids.org/); seems nice :)

Share:
63,653
Karem
Author by

Karem

Updated on July 22, 2020

Comments

  • Karem
    Karem almost 4 years

    I have a lot of user inputs from $_GET and $_POST... At the moment I always write mysql_real_escape_string($_GET['var'])..

    I would like to know whether you could make a function that secures, escapes and cleans the $_GET/$_POST arrays right away, so you won't have to deal with it each time you are working with user inputs and such.

    I was thinking of an function, e.g cleanMe($input), and inside it, it should do mysql_real_escape_string, htmlspecialchars, strip_tags, stripslashes (I think that would be all to make it clean & secure) and then return the $input.

    So is this possible? Making a function that works for all $_GET and $_POST, so you would do only this:

    $_GET  = cleanMe($_GET);
$_POST = cleanMe($_POST);

    So in your code later, when you work with e.g $_GET['blabla'] or $_POST['haha'] , they are secured, stripped and so on?

    Tried myself a little:

    function cleanMe($input) {
   $input = mysql_real_escape_string($input);
   $input = htmlspecialchars($input, ENT_IGNORE, 'utf-8');
   $input = strip_tags($input);
   $input = stripslashes($input);
   return $input;
}

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
How can I sanitize user input with PHP?
SQL Injection via URL parameter
Hacking training simulator
what's the meaning of 'admin' OR 1=1 -- '
Do I need to sanitize the user input Laravel
Examples of XSS that I can use to test my page input?
XSS attack to bypass htmlspecialchars() function in value attribute
CodeIgniter - why use xss_clean
Is strip_tags() vulnerable to scripting attacks?