0

I am making a forum at this moment.

I would like to sanitize my input data (that is, the posts from users) before sending it to the MySQL database.

I already have been searching some functions to do that, but I'm not sure if I have used enough of them and if they're all secure enough. Any suggestions are welcome.

Here is the code I have:

$message=$_POST['answer'];
$message=nl2br($message); //adds breaks to my text
$message=stripslashes($message); //removes backslahes (needed for links and images)
$message=strip_tags($message, '<p><a><b><i><strong><em><code><sub><sup><img>'); //people can only use tags inside 2nd param
$message = mysql_real_escape_string($message); //removes mysql statements i think (not sure)

edit: Please tell me if I should add some tags to the strip_tags function. Maybe I have forgotten some.

O. Jones
  • 103,626
  • 17
  • 118
  • 172
jannes braet
  • 1
  • 2
  • 8
  • 2
    [When inserting in db](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) and when [displaying the data on a page](http://php.net/manual/en/function.htmlspecialchars.php). – PeeHaa Jun 10 '12 at 14:32
  • Still allows XSS in attributes like `` – Gumbo Jun 10 '12 at 14:33
  • 2
    Since your comment says you're not sure what `mysql_real_escape_string()` does, you should [read its documentation](http://php.net/manual/en/function.mysql-real-escape-string.php) and while you're at it, [read about SQL injection](http://en.wikipedia.org/wiki/Sql_injection) to understand why this is so important. – Michael Berkowski Jun 10 '12 at 14:33
  • @jannesbraet just read the links I posted – PeeHaa Jun 10 '12 at 14:33
  • nl2br() is for helping control output to a HTML block. stripslashes() is basically of no real value, it helps ''undo'' (bad) output escaping that may have previously been applied (most useful for strings in a Javascript block). strip_tags() is a poor man's way of attempting to avoid cross-site scripting, that is only valid in one particular HTML output-context. None of these 3 functions things have anything to do with databases and will only serve to corrupt your data. – Cheekysoft Jun 11 '12 at 10:16

3 Answers3

2

Try using PDO instead. It has great binding function, which really improves security. Here's some examples: http://php.net/manual/pl/pdostatement.bindvalue.php

PDO is by default in PHP5, so pretty much everywhere these days.

Tomek Buszewski
  • 7,659
  • 14
  • 67
  • 112
1

If you want to allow limited HTML to be used in forum (as seen by the way you are using strip_tags()), use HTMLPurifier; otherwise you are vulnerable to javascript in attributes of those tags.

By the way, right now you are stripping the <br> tags you've added

Maxim Krizhanovsky
  • 26,265
  • 5
  • 59
  • 89
-1

When you save to DB:

$message=strip_tags($message, '<p><a><b><i><strong><em><code><sub><sup><img>'); //people can only use tags inside 2nd param
$message = mysql_real_escape_string($message); //removes mysql statements i think (not sure)

When you output:

$message=nl2br($message); //adds breaks to my text
$message=stripslashes($message); //removes backslahes (needed for links and images)

Besides, use htmlspecialchars when you write into html input elements like text or textarea

OBS: Don't reinvent the wheel. Learn some PHP framework like codeigniter that provides very secure ways to manage data. .

Igor Parra
  • 10,214
  • 10
  • 69
  • 101