2

Obviously you should validate ALL user input data on the server side. I'm just curious what is considered "proper" input validation and the order of which it should be done.

As of right now (and recent projects past) I have done it this way:

Get the user input, instantiate the object, and call the method:

if(isset($_POST['addCat'])) {
    $db = new DBConnection;
    $categories = new Category($db);

    if($categories->insert_cat($_POST['name']) === TRUE) {
        echo "Category Inserted Successfully!";
    }
}

The method called from the instantiated object which:
1. escapes the user input
2. istantiates the data_validation object (see the validation object below)

class Categories {
    public function insert_cat($catName) {
        $catName = $this->mysqli->real_escape_string($catName);
        $validate = new data_validation;

        if(!($validate->validate_string($catName))) {
            echo "Invalid characters found in category name";
            die();
        }

        $query = $this->mysqli->query("INSERT INTO categories(name) VALUES ('".$catName."')");

        if($query === false) {
            printf("Error: %s\n", $this->mysqli->error);
            die();
        } else {
            return true;
        }
    }
}

data_validation class which:
1. trims the data
2. matches the data to a regular expression
3. returns the data to the insert_cat method for database insertion

class data_validation {
    public function validate_string($data) {
        // Remove excess whitespace
        $data = trim($data);

        if ( preg_match("/^[0-9A-Za-z \.\-\'\"]+$/", $data) ) {
            return true;
        } else {
            //return 'Not a valid string';
            return false;
        }
    }
}

So basically in short my question is: Is it proper to first escape the data, then trim it, then compare it to a regular expression, then add htmlentites() or something of those sorts to preserve any formatting or should it be done in a different order?

Any tips to improve my security habits are more than welcome!

PeeHaa
  • 71,436
  • 58
  • 190
  • 262
Ty Bailey
  • 2,392
  • 11
  • 46
  • 79
  • Format sanitizing comes first, then database escaping prior the SQL query. On a related note, you could skip the SQL escaping if you were to use *prepared statements*. -- `htmlentities` should be applied first prior outputting. – mario Feb 13 '13 at 03:51
  • So it's not a problem that I am escaping the user input first? I could user prepared statements but I am unfamiliar with PDO. I thought `htmlentities` was to preserve html entities in the database, then you use `html_entity_decode` to decode the html entities? – Ty Bailey Feb 13 '13 at 03:54
  • 2
    Ooops, yes. Then it's wrong. Escaping must be the last step. And mysqli allows for parameter binding as well. `htmlentities` has nothing to do with the database. It's used when writing text into HTML context (=page output), not before. – mario Feb 13 '13 at 03:56
  • You should use parameterized queries in mysqli to prevent injection. See: http://www.php.net/manual/en/mysqli-stmt.bind-param.php Also, consider the fact there is no need to sanitize a users input until it is being used or manipulated in some way (output, used in calculations, etc). – anditpainsme Feb 13 '13 at 03:58
  • See also [What's the best method for sanitizing user input with PHP?](http://stackoverflow.com/questions/129677/whats-the-best-method-for-sanitizing-user-input-with-php). Which is not to say that format filtering is never applicable; it just has seldomly bearing on security. – mario Feb 13 '13 at 04:01
  • So escaping the input is the last step I should be concerned? If I used parameterized queries that is the same thing as using prepared queries am I wrong? I'm not familiar with prepared queries so I don't plan on using them. If my understanding of `htmlentities` is wrong, what should I use to store html elements in the database and properly output them with correct formatting? – Ty Bailey Feb 13 '13 at 04:33
  • 1
    Yes that is correct Ty, parametized queries are the same as prepared statements. They are easy and convenient to learn, and add a massive layer of security to your application. You can store user input directly to the database with prepared statements and there is no need to sanitize or escape any input as prepared statements will do this for you. The only time you will have to escape or sanitize any user input is when you manipulate or output the data. Ie: validating the data is in the correct format, or ensuring the user has not tried to execute html/JS code on your page (htmlentities). – anditpainsme Feb 13 '13 at 05:03
  • `HTMLENTITIES()` should only be used for output, ie: printing/echoing. HTML has no bearing on the database and can be stored in raw form. – anditpainsme Feb 13 '13 at 05:11

1 Answers1

0

On the The Open Web Application Security Project you'll find most if not all the information you need about validation and security in general.

afarazit
  • 4,907
  • 2
  • 27
  • 51