0

At work we are building a micro-CMS based solely in PHP + MySQL. Even if we try to sanitize every user input data and test every function / method, we can make mistakes. For example, if we sanitize a string with a function, let's say:

$name_surname = sanitize_str($_POST["nameSurname"], "text", 50, null, "utf8");

function sanitize_str($input, $data_type, $length, $range=null, $encoding, ...){
    .... // do things.
    try(){
     ...
    }catch($e){
     ...
    }
    return $sanitized_string
}

let's imagine that I call directly

$name_surname = $_POST["nameSurname"];

I am completely open to SQL injection. Is there some automated tool that will take given URLs and will make tests in order to seek vulnerabilities? For example, detecting forms in the test URLs, autofilling the forms, submitting and finding if a MySQL error is generated.

Cesar
  • 514
  • 1
  • 5
  • 16
  • 1
    There are many many tools out there. Just look for website security tools, and OWASP. You shouldn't need to create a function to sanitize inputs yourself if you use PDO or mysqli. – aynber Apr 27 '16 at 16:48
  • 1
    simple: you don't sanitize. you use appropriate tools (e.g. prepared statements) so that sql injection is simply not possible, even if the "outside" data is riddled with injection attempts. – Marc B Apr 27 '16 at 16:49
  • In your code, don't call `$_POST['nameSurname']` directly. Why would you create a function to sanitize variables and then *not* call that function to sanitize the variables? You're creating a problem that does not actually exist. You and your team have full control over the code, correct? – mferly Apr 27 '16 at 16:49

0 Answers0