0

I know this is a never ending battle, and everyone has different methods and opinions... I need a new method of cleaning/sanitizing the user input in PHP. I've had some random files appear in one of my website directories... I'm not sure if it's due to stolen passwords or what, but clearly my method is not working anymore!!!! I'm sorry that this is probably a duplicate, but I'm tired of my server having vulnerabilities!!!

I currently use this:

function clean($value) {
if (is_array($value)) {
    foreach($value as $k => $v) {
        $value[$k] = clean($v);
    } }
else {
        if(get_magic_quotes_gpc() == 1) {
            $value = stripslashes($value);
        }
        $value = trim(htmlspecialchars($value, ENT_QUOTES, "utf-8"));
        $value = mres($value);
}   
    return $value;
}

Then I usually include this at the top of each file:

$POST = clean($_POST);
$GET = clean($_GET);

Please help before flagging me because I can't get blacklisted for spam again!

c0nfus3d
  • 1,403
  • 3
  • 13
  • 25
  • I doubt this function will have any effect on your problem – John Conde Dec 11 '13 at 19:07
  • What are you trying to sanitize? Your question makes me think files - if you're doing that, you can check by MIME-type. http://www.php.net/manual/en/ref.fileinfo.php – James Binford Dec 11 '13 at 19:09
  • Sorry, just user input.. I usually do something like `$POST = clean($_POST);` – c0nfus3d Dec 11 '13 at 19:11
  • if you put it on top of each file, you might end up double escaping everything if you include a file in another file. – nl-x Dec 11 '13 at 19:28

1 Answers1

2

This function you just posted has nothing with "random files appearing" in your directories. these are for string sanitizations and you aren't sanitizing integers either. If you use this function to sanitize your database inputs then you must validate the data you're entering first so it matches your needs, so if you expect an integer, you make sure its an integer and not just add slashes to it to stop the quotes in strings, if you expect a string you make sure it's a string. If you plan on displaying any data inputted by the user then you must protect against XSS. If your server has vulnerabilities then the problem is not with your website but with the software installed on the server itself. as for the randomly appearing files, the only way I can think of is if you allowed some users to upload pictures or files without making sure what their extension is and therefore allowing people to upload PHP files or HTML codes. Finally, I'd just like to clear that NO ONE can give you a sanitization function that will match your needs, you need to make one for your exact needs because no one but you knows what type of data you're expecting.

This is a general rule in protecting your website against any user input whether it was a file uploaded or a user being registered

  1. Validate the data and make sure it's the type of data you're expecting.
  2. Sanitize that data so that it cannot contain any malicious codes that may compromise your website.
Ali
  • 3,479
  • 4
  • 16
  • 31
  • Thanks for the info! I'm still investigating and still really not sure what's going on... I thought it might be the way I was handling user input, but I'm also checking server logs for anything fishy... – c0nfus3d Dec 11 '13 at 19:17