2

Currently I use this strategy:

After submitting a HTML form or data sent using jQuery's $.get() or $.post() I need to know what is come and then apply logic on the basis of that.

suppose, I've got $_POST['username'], $_POST['password'] and $_POST['login_submit_button']. In my processing script file, I do like this:

if(isset($_POST['login_submit_button']) && isset($_POST['username']) && $_POST['username'] != "" && isset($_POST['password']) && $_POST['password'] != "") {
  // calling a common function safe_vars() which does
  // mysql_real_escape_string(stripslashes(trim($any_variable_need_to_become_safe)))
  // and now using the above variables for different purposes like
  // calculation, insertion/updating old values in database etc.
}

I know all this logic is wrong or having serious issues, so I want a much-secure and perfect solution instead of this. I welcome to find out vulnerabilities and severe security-bleaches in my strategy. This question can help others too, if answers came more explanatory, this can be informative community wiki.

Vishal
  • 2,161
  • 14
  • 25
  • Checking for `strlen($_POST['username']) > 0` is more efficient because you won't have to check for whether the value exists or not anymore. – Pieter888 May 22 '12 at 12:21
  • or try `&& (!empty($_POST['username'])) && ...` – Neograph734 May 22 '12 at 12:22
  • Same with !empty($_POST['username']). This will throw a notice if $_POST['username'] isn't set (For both the emtpy and the strln function. But i guess you won't display notice errors when your project is online) – Mohammer May 22 '12 at 12:25
  • @Pieter888: Yep, that seems okay than how I check it with a blank string. @ Neograph734, @ Mohammer: Hmm, actually many times `isset()` doesn't work as I expect it to be. I will try your suggestions. Thank you. – Vishal May 22 '12 at 12:35

2 Answers2

3

There is no way to make a generic super "make things safe" function.

mysql_real_escape_string

You shouldn't use this at all. It uses the old mysql API, and assumes you are going to be manually smashing strings together to make SQL. Don't do that. Use PDO or mysqli and a function that deals in prepared queries and bound arguments.

stripslashes

This is an antidote to magic quotes. If magic quotes are not on it will destroy data. Don't use it. Turn magic quotes off instead.

trim

This destroys data. Don't use it unless you really want to remove white space at the start and end of the string.

Escape data for the target language immediately before inserting data into that language.

For SQL, use bound arguments and prepared queries.

For HTML, use htmlspecialchars or a template language that does escaping for you, such as mustache.

Alternatively, (if you want to allow HTML) parse it, generate a DOM, filter it using a whitelist, then serialise it back to HTML.

For JSON, use encode_json

etc.

Community
  • 1
  • 1
Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • Very lightweight, intelligently covered everything what I wanted to know! I want to become using PDO instead old obsolete mysql_* functions, a good and thoroughly explained PDO tutorial might help. Thanks for your answer by the way. – Vishal May 22 '12 at 12:41
  • @Quentin: But I'm curious that all suggestions you mentioned are just enough to care about, or there are even more? – Vishal May 22 '12 at 12:48
  • HTML gets a bit more complex when you start considering things like the UTF-7 bug in old IE, or if you use `'` instead of `"` to delimit attribute values, or if you insert a URL into a document without checking that it is an acceptable URL (and not a `javascript:` URL). And languages that I don't mention need escaping for with something appropriate for that language. – Quentin May 22 '12 at 12:51
1
  • You only need to stripslashes if you have magic_quotes enabled (use get_magic_quotes_gpc to check)
  • You should white list filter your POST vars using filter_var or ctype_* or preg_match (as well as checking bound conditions such as length and presence)
  • Use prepared statements / PDO for your queries to ensure proper escaping
  • Escape any html output with htmlentities

Nothing is bullet proof, however the above are good practices to avoid SQL injection / XSS.

Ingmar Boddington
  • 3,440
  • 19
  • 38
  • Hmm, I've magic_quotes off by default, but I was using `stripslashes` for nothing. Your #2 point is noteworthy, I'll study your recommendations in more detail to filter POST vars. Thank you. – Vishal May 22 '12 at 12:45