Is this a good way to sanatize php $_POST inputs?

Question

I have been using this code on my website for a long time, and just want to make sure I am correctly sanatizing my PHP $_POST inputs...

foreach($_POST as $key=>$val) //this code will sanitize your inputs.
  $_POST[$key] = mysqli_real_escape_string($connection, $val);

Say for example I had the POST value $_POST['comment'] that I wanted to add to a database, would this be a good and safe way to sanatize it before database entry?

foreach($_POST as $key=>$val) //this code will sanitize your inputs.
  $_POST[$key] = mysqli_real_escape_string($connection, $val);

  //is this safe? or is there another step?
  $comment = $_POST['comment'];

  if($comment != ""){
  //add $comment to database
  }

Is there something that I still need to do before adding $comment to the MYSQL database? Or do those top two lines do the magic by themselves? Please let me know if this is a good safe way to do it, or if there is an even better way! Thanks!

Answer 1

Possible duplicate of: https://stackoverflow.com/questions/15664021/php-escaping-vars-posted-through-var-and-got-by-postvari-with-a-meth

I already tried your way. It seems there's no magic function. However, from classic MySQL injections, you can be safe, when adding mysqli_real_escape_string to each posted value, then use it as a string (quoted) in the db, but it's considered bad practice, also is not the most secure way

Since MySQLi presents parametised queries, you should get familiar with them, and leave the real corresponding to the database driver, to the library.

Answer 2

It's not. One can use multibyte attacks, which will bypass all these sanitizers.

Moreover,

According to this answer one should avoid writing to post so one can keep sanitized code far from un-sanitized. Even though you "sanitize" everything, it leads to bad habits.

Answer 3

This is not a good way to sanitize input. Queries should be parameterized and input should be fed as arguments no matter where it comes from. No additional sanitation should be done (otherwise it could be duplicated).

If you have specific rules (such as $comment != "") this is validation, and it is up to you to decide validation rules and how to handle invalid input (which is different than unsanitized input).

Example of using properly parameterized prepared statement with mysqli:

$stmt = mysqli_prepare($connection, "INSERT INTO comments VALUES (?)");
mysqli_stmt_bind_param($stmt "s", $comment);
mysqli_execute($stmt);

Answer 4

_real_escape_string does not sanitize user inputs completely. You must use prepared statements.

Object oriented style

$stmt = $mysqli->prepare("INSERT INTO CountryLanguage VALUES (?, ?, ?, ?)");
$stmt->bind_param('sssd', $code, $language, $official, $percent);

$code = 'DEU';
$language = 'Bavarian';
$official = "F";
$percent = 11.2;

Procedural style

$stmt = mysqli_prepare($link, "INSERT INTO CountryLanguage VALUES (?, ?, ?, ?)");
mysqli_stmt_bind_param($stmt, 'sssd', $code, $language, $official, $percent);

$code = 'DEU';
$language = 'Bavarian';
$official = "F";
$percent = 11.2;

Parameter types

Character     Description
i   corresponding variable has type integer
d   corresponding variable has type double
s   corresponding variable has type string
b   corresponding variable is a blob and will be sent in packets

Documentation

Answer 5

down side is that you maim the post vars so you cant use them for other purposes than queries. for example what if you still wanted to echo out some post vars?

better is to escape to a new array

and even better is to not escaped but use parameterized queries.

Answer 6

Your missing some of the most important things to safe PHP coding.

Lets start from the beginning.

Start with these links please : Please read the code comments

This first // and this second!

1) Validate and then filter your data if it passes validation!

So we have a registration form, one that takes emails... so now what we do is validate the email.

$email = $_POST['email']; // Declare the variable
if (filter_var($email, FILTER_VALIDATE_EMAIL)) { // If validation passes ... 
    $safe_email = filter_var($email, FILTER_SANITIZE_EMAIL) // Sanitize the email
} else { // Validation fails no need to sanitize
    echo "WRONG EMAIL PUNK!!!!";
}

2) Now using either Mysqli or PDO (I prefer PDO) we do :

$dbh = new PDO("mysql:host=xxxxxx;dbname=xxxxxx;charset=utf8", USERNAME(XXXXXXXXX), PASSWORD(XXXXXXXX); // Set up the PDO instance PLEASE DO NOT FORGET TO EXPLICETELY STATE A CHARSET!!!!
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); // Set up error mode
$dbh->setAttribute(PDO::ATTR_EMULATE_PREPARES, FALSE); // I prefer emulate prepares to be false

$sql = INSERT INTO ..... (........., email) VALUES (............, :email); // Set up our named parameter
$query -> $dbh -> prepare($sql); // Prepare the query 
$query -> bindParam (':email', $email);
$query -> execute() // Yay!

Its all fine and dandy using PDO and MysqlI but there is an expression called :

Its not the wand, its the wizard. 

PDO / MysqlI can not solve everything! Make sure to

Refer to my other question on how to set up PDO

1) Validate 2) Sanitize 3) use parameters for safer queries! 4) Escape any outside (un-trusted data)

Follow these security PHP practices for safer php coding.

Enjoy