3

I'm using PDO with prepare statement.

I'm using Javascript to encrypt text from html textarea, decrypt in PHP, adding some text and i re-encrypt data before write it in the DB.

I'm using PHP to decrypt data from db and put it in HTML5 pages.

Often the content are the result of HTML encoded text.

addslashes, htmlentities and preg_replace...can i validate / filter data in the best way for me?

Whats the difference between to validate and to filter data?

I have no experience in security. please help me to find the best way for my application.

thanks in advance

JB.
  • 83
  • 1
  • 9
  • If you tell us why you are encrypting and how you are encrypting then we can answer better. Do you really need to encrypt data? – web2students.com Feb 13 '14 at 08:31
  • i use rsa to encrypt a random key generated in js that i used to encrypt the data inserted by users and send them to PHP...decrypt the key and re-encrypt with a new AES key the data.then i send the data encrypted to db. The new key generated in PHP were encrypted with RSA,this time i PHP and stored with the data in the same record. – JB. Feb 13 '14 at 08:38
  • Why you are doing all this?Do you need HTTPS? http://en.wikipedia.org/wiki/HTTP_Secure – web2students.com Feb 13 '14 at 08:49
  • @web2students.com yes...but HTTPS don't save encrypted data in my db...i have to save chemical test about pharmaceutic products in DB...and those data have to be stored in the best safer way...who can access the db...have not to understand what is reading on it. – JB. Feb 13 '14 at 08:51
  • bad idea. suppose i deactivate javascript in my browser. now you are decrypting an entity which is NOT encrypted in the 1st place! what you will get? god knows.... – itachi Feb 13 '14 at 09:14
  • @itachi No friend. The form is well structered. is not a form with SUBMIT button...but with a button that activate the send of datas in javascript. so BE SURE that if you deactivate javascript you will send nothing...the application provides too a system entirely in PHP if you deactivate js before entry the page; but that is other story. – JB. Feb 13 '14 at 09:19

3 Answers3

3

I think this is a good solution for me.

what do you think about it?

 function clearPasswrod($value){


     $value = trim($value); //remove empty spaces
     $value = strip_tags(); //remove html tags
     $value = htmlentities($value, ENT_QUOTES,'UTF-8'); //for major security transform some other chars into html corrispective...

      return $value;
 }
 function clearText($value){

     $value = trim($value); //remove empty spaces
     $value = strip_tags(); //remove html tags
     $value = filter_var($value, FILTER_SANITIZE_MAGIC_QUOTES); //addslashes();
     $value = filter_var($value, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW); //remove /t/n/g/s
     $value = filter_var($value, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH); //remove é à ò ì ` ecc...
     $value = htmlentities($value, ENT_QUOTES,'UTF-8'); //for major security transform some other chars into html corrispective...

     return $value;
 }
 function clearEmail($value){


     $value = trim($value); //remove empty spaces
     $value = strip_tags(); //remove html tags
     $value = filter_var($value, FILTER_SANITIZE_EMAIL); //e-mail filter;
     if($value = filter_var($value, FILTER_VALIDATE_EMAIL))
   {
     $value = htmlentities($value, ENT_QUOTES,'UTF-8');//for major security transform some other chars into html corrispective...
   }else{$value = "BAD";}  
     return $value;
 }
JB.
  • 83
  • 1
  • 9
0

If validation you want? Try this one.

function clean($str) {
        $str = @trim($str);
        if(get_magic_quotes_gpc()) {
            $str = stripslashes($str);
        }
        return mysql_real_escape_string($str);
    }

and just use this like $username = clean($_POST['username']);

Ulysses
  • 187
  • 2
  • 17
  • onestly, i create this post because the entire world wrote in blog posts this phrase "DO NOT USE MYSQL_REAL_ESCAPE_STRING, use PDO"...i'm using PDO ... and i would like to be prepared to safe the application againsts xss crsf and sql_injection attacks...anyway thankyou @yul757 – JB. Feb 13 '14 at 08:42
  • then if your using PDO, theres no need to validate. – Ulysses Feb 13 '14 at 08:46
  • @yul757...if the users adds some javscript text in my input area and that text will be show in the html5 pages probably i will get in trouble, addslashes htmlentities and others function...there's someone over there that can help me do some clear – JB. Feb 13 '14 at 08:49
  • you can user regex for filtering input. By the way, filter means to remove something that from whatever passes through it. Validate means to make valid or confirm the validity. I think they have the same purpose. – Ulysses Feb 13 '14 at 09:02
0

These were added in PHP 5.3 read the manual and see if this is helpful for you.

Sanitize Filters:

http://www.php.net/manual/en/filter.filters.sanitize.php

Validation Filters:

http://www.php.net/manual/en/filter.filters.validate.php

Newbi3
  • 356
  • 1
  • 8
  • Sanitize will strip your input of invalid characters and give you the new "clean" version. Validate will test if it matches an email, boolean, float or other pattern, that you choose. It is better to use battle tested code than to create your own Regular Expressions to "validate" you received a proper email, for example. – Newbi3 Feb 13 '14 at 09:05