0

Back with another question.

I have come across this really nice function that I think sanitizes and validates (I really hope that statement is actually true). Here is the function and it's usage.

     if(funcChkLogin($_POST['username']))
        {
          $username = escape_data($_POST['username']);
        } 

     funcChkLogin($str)
     {
         return preg_match("/^[A-z0-9_\-\.]{2,20}$/", stripslashes(trim($str)));
     } 

     escape_data($data)
     {
       $data = mysql_real_escape_string(trim($data));
       $data = strip_tags($data);
       return $data;
     }

Because I read that the usage of stripslashes creates problems I would like to ask how safe and strong this method is for sanitization. Can it be improved?

I know using PDOs is better but there could be data that is not going into a database then using a nice function like this would be a good idea to ensure we have clean PHP code running. Right?

Thanks all !

Ajoo
  • 63
  • 1
  • 9
  • Are you trying to validate that username is an email address? Why would you want to sanitize a user-provided username. It is either valid or it is not, I would not suggest altering it. I would also discourage using any code which relies on mysql_* functions. – Mike Brant Dec 02 '14 at 04:51
  • The username is a username like his login username. It's not an email. For an email I would use another filter like funcChkEmail. I am sorry I think I have used the filter for an email to check for a user login. I wonder if I can edit that in the original question. Ok So I have changed it. – Ajoo Dec 02 '14 at 05:15

2 Answers2

1

mysql_real_escape_string might not be safe unless you take special precautions. It is also deprecated. Use PDO.

I know using PDOs is better but

No "but"s. Make the right choice.

Community
  • 1
  • 1
Jackson
  • 9,188
  • 6
  • 52
  • 77
  • Sure. But what if I am using a variable that holds user input only for comparisons with some data from the database or another variable, then is there no need to sanitize such a variable?? I read that it's always advisable to sanitize / escape user input and perform limit and data checks on it. What escaping functions should we for such variables? Thanks. – Ajoo Dec 02 '14 at 09:48
  • I would use prepared statements for *any* otherwise-interpolated variable, even my own variables. I don't trust myself to eval SQL code either. – Jackson Dec 02 '14 at 09:56
  • Escaping (for the database) isn't necessary if you use prepared statements. (You will still want to escape values printed in html with `htmlspecialchars`.) – Jackson Dec 02 '14 at 09:57
  • OK thanks everyone for the replies – Ajoo Dec 02 '14 at 11:36
0

Don't roll your own binding/escaping functionality

The only thing that you should be rolling your own code for is the "rules" that you actually want the user data to conform to. PHP already has the tools to deal with everything database. It also already has the function to deal with outputting to html. The concept of sanitizing everything is generally an over-compensation reaction to realizing how horrible it can be to trust user input, and is not applicable to most of the situations where you're trying to apply it. Use existing native functions (& PDO).

Data should generally be converted only when it's changing format/storage

Instead of trying to sanitize for every possible future way to use the data, you should consider that when you change the format of data, you should be escaping or converting it at the last possible moment over into that new format, so that it has the display features of the new medium you want to have it in.

Use the right function (& PDO) for the right target

Want it to go into the database? bind it for a prepared query at that time. Want to put it in your html? escape it for html at exactly that time. Want it in json? json_encode it right before outputting it to your api). The functions that do these common escaping/binding/converting processes for you are always written into the php language, so don't reinvent the wheel.

One of the linked duplicate answers has some great examples of the functions that escape when you're converting from a php variable to a mysql data cell, or from a php variable to an html text display area. Just reuse those.

Community
  • 1
  • 1
Kzqai
  • 22,588
  • 25
  • 105
  • 137