0

Possible Duplicate:
What's the best method for sanitizing user input with PHP?
What are the best PHP input sanitizing functions?
The ultimate clean/secure function

Goal: Properly sanitize all inputs from text boxes before entering into DB, which is then output to a page. For my use case, I need to prevent potential problems while not eliminating the data input. Also, the charset is explicitly set to UTF-8 in both the HTTP header and the META tag to prevent problems with malformed encoding. The DB is also set to UTF-8.

Specs: PHP, MySQL, Apache

Sample Code:

    function secureinput($input)
    {
       $input = htmlspecialchars($input, ENT_QUOTES ,'UTF-8');
       $input = strip_tags($input); //fail-safe for anything that gets through
       $input = mysql_real_escape_string($input);

       return $input;
    }

Question: What vectors of attack (XSS, SQL Injection, etc.) is this still vulnerable to?

A huge thanks to anyone who can help. This is my first time posting, though I've always turned to SO first for looking up answers to my questions. Unfortunately, this time I couldn't find any other questions that answered my problem, only small parts of it.

Community
  • 1
  • 1
  • 1
    To take secutiry to the next level start using PDO (or mysqli) in stead of mysql_* functions. ;) – Bono Jul 28 '12 at 20:09
  • You should also use [parameterized SQL](http://www.codinghorror.com/blog/2005/04/give-me-parameterized-sql-or-give-me-death.html) to 100% eliminate the risk of SQL injection. – Tushar Jul 28 '12 at 20:13
  • 1
    There is no magic everything-at-once security/sanitization function. It all depends on context. What you have there is crap. – mario Jul 28 '12 at 20:16
  • This very question has been asked over and over again: http://stackoverflow.com/q/129677/112968 – knittl Jul 28 '12 at 20:21
  • i would choose ready solutions from frameworks or libraries instead of building a solution from scratch. There will always be a security hole somewhere in the code.. – Gntem Jul 28 '12 at 20:24
  • @Bono: Yes, I should have used mysqli_* commands rather than the deprecated mysql_*. –  Jul 28 '12 at 20:49
  • Using PDO and verifying the type (numbers, text, etc.) and length of input data is a must, though outside of the sample code I wrote. I'm trying to determine if this adequately sanitizes from attack the data that will be output back to the screen or if anyone sees anything glaring (obviously nothing is 100%). –  Jul 28 '12 at 20:56
  • @mario: Yeah, I missed that one. Thanks for pointing it out. However, simply calling the sample code crap and not actually pointing out why is pointless. –  Jul 28 '12 at 20:59
  • You should read [The ultimate clean/secure function](http://stackoverflow.com/q/4223980/53114), it’s basically what you’re asking for. – Gumbo Jul 29 '12 at 07:39

1 Answers1

1

XSS Attacks

By using htmlspecialchars() whenever you output user-inputted content, you can ensure you will be safe from XSS attacks.

SQL Injection

Steve Friedl provides some examples of SQL Injections and limitations of input sanitization on his website: http://www.unixwiz.net/techtips/sql-injection.html

Even though your code may be secure from SQL injection attacks with mysql_real_escape_string(), you are better off using parameterized SQL and eliminating the risk of SQL injection altogether. You will also be much more secure if you use PDO or mysqli in PHP instead of the deprecated mysql functions.

Tushar
  • 8,019
  • 31
  • 38