0

So this is the first project that Ive worked with were I am NOT working with a pre built CMS and i'm trying to make sure that the data that is submitted is secure.

My question is in two parts: a) Is the way that I am checking $_POST values secure enough? here it is: 

function validateInput($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;   
}

$id = validateInput($_POST['id']);
$name = validateInput($_POST['name']);
$address = validateInput($_POST['address']);

b) if not, how can I make it more secure and less likely to be SQL injected?

I would really appreciate some help on this. Thanks guys

MarkP
  • 2,546
  • 5
  • 31
  • 48
  • 2
    Don't reinvent the wheel. – John Conde Mar 20 '14 at 15:45
  • Rather duplicate of this one http://stackoverflow.com/questions/129677/whats-the-best-method-for-sanitizing-user-input-with-php – Your Common Sense Mar 20 '14 at 15:51
  • To answer your question: No, it’s not. From the [list of characters to be escaped](http://stackoverflow.com/a/1087208/53114), your function does only render the double quote harmless. – Gumbo Mar 20 '14 at 17:23

2 Answers2

0

What you are doing is a great start, and don't let anyone tell you not to escape special characters.

The official answer is to use modern mysql methods, either: mysqli or PDO

Please google those PHP: mysqli and php: PDO

There is great documentation on those.

Any mysql_escape_... is deprecated.

One more note: stripslashes does not add any security value.

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Kevin Florida
  • 6,659
  • 3
  • 23
  • 20
  • 1
    @YourCommonSense, please add constructive help, rather than negative comments. You obviously don't know what you are talking about. the trim() method removes the first part of a sql injection, htmlspecialchars() method encodes characters which can be used for escaping.. I have been a PHP security expert for 10 years, so maybe you should brush up. – Kevin Florida Mar 20 '14 at 15:53
0

Using mysqli for preparing your variables:

$id = mysqli_real_escape_string($db, $_POST['id']);
$name = mysqli_real_escape_string($db, $_POST['name']);
$address = mysqli_real_escape_string($db, $_POST['address']);

Or with a database object (As defined when opening your connection):

$id = $db->real_escape_string($_POST['id']);
$name = $db->real_escape_string($_POST['name']);
$address = $db->real_escape_string($_POST['address']);

http://dk1.php.net/mysqli_real_escape_string

Frederik Spang
  • 3,379
  • 1
  • 25
  • 43