-1


I am new to PHP security and trying to implement the solutions other than PDO.
I have read several articles here on stackoverflow and googled many articles.
I have tried to write my own code to secure the user input.
I would request the experts here to please have a look and guide me if I have left anything here or have i used anything unnecessary here.
Also I am missing CSRF prevention. Is there anything else other than random token generation? Can this be implemented using any functions?

extract($_POST);
$stuid = filter_input(INPUT_GET, 'stud_id', FILTER_SANITIZE_SPECIAL_CHARS); //php filter extension
$stuid = trim($stuid);
$stuid = strip_tags($stuid);
$stuid = iconv('UTF-8', 'UTF-8//IGNORE', $stuid); //remove invalid characters.
$stuid = htmlspecialchars($stuid, ENT_COMPAT, 'UTF-8'); // manual escaping
$stuid = mysql_real_escape_string($stuid);
$stuid = htmlspecialchars($stuid, ENT_COMPAT, 'UTF-8'); //Cross site scripting (XSS)
$email = filter_input(INPUT_POST, $email, FILTER_SANITIZE_EMAIL);
$pass=md5($pass);

Thanks in advance.

ITSagar
  • 673
  • 2
  • 10
  • 29
  • 2
    "other than PDO"... I presume you mean besides mysqli as well. You really shouldn't roll your own security. Something WILL go wrong. – Gerrit0 Nov 23 '16 at 18:04
  • This code doesn't actually *do* anything, so what are you securing? There is no single line of "security code" which will make an application secure. You have to be aware of what the application is doing and ways it can be exploited. This application doesn't do anything. – David Nov 23 '16 at 18:05
  • 2
    Is `$pass=md5($pass);` hashing a password? If so use `password_hash()` instead - http://php.net/manual/en/function.password-hash.php – Steve Nov 23 '16 at 18:09
  • 2
    For my part, extracting POST into variables is not a secure practice. Leave them in the POST until you take them out and secure them for the purpose they will be used. If this is what interests you, I will put up a solution with an example. – WEBjuju Nov 23 '16 at 18:10
  • @David Actually I am working on a student information management system. I have written this code to get a check with the experts am i going in the right direction. if these all approaches are right, then i will create a function and pass on every data field to get data cleaned. But i dont know whether i should use all theses only or i should use something else too or is the sequence i am using is proper or not. – ITSagar Nov 23 '16 at 18:11
  • 2
    @Gerrit0 I will use mysqli to fire parameterized queries. – ITSagar Nov 23 '16 at 18:11
  • @WEBjuju Sure sir, I look forward for an example that ensures data security completely. – ITSagar Nov 23 '16 at 18:14
  • The approach of trying to avoid escaping problems by “sanitising” input is [inherently broken](http://security.stackexchange.com/questions/42498/which-is-the-best-way-to-sanitize-user-input-in-php/42521). This code is throwing random sanitisation superstition at the wall and hoping something sticks. There's no guarantee it covers every injection case you might have, and it'll definitely completely mangle valid input. Don't do this. Prevent HTML injection by using `htmlspecialchars` at the point you drop text into an HTML page, not at the input phase. Prevent SQL injection by using parameters. – bobince Nov 25 '16 at 00:33

1 Answers1

0

in a case where my user has submitted a piece of data for the database to store, then i need to be sure i have sanitized it and use a parametized query:

/* Prepare an insert statement */
$query = "INSERT INTO myTable (DangerousData, MoreDangerousData) VALUES (?, ?)";
$stmt = $mysqli->prepare($query);

$stmt->bind_param($val1, $val2);

// white listing is always the MOST secure since we control the data
switch ($_POST['DangerousData']) {
  case 'Lamb': $val1 = 'Lamb'; break;
  case 'Sheep': $val1 = 'Sheep'; break;
  // so if they send something not allowed, we have a default
  default: $val1 = 'WolfinsheepsClothing';
}

// otherwise, the parametization of the statement will
// clean the data properly and prevent any SQL injection
$val2 = $_POST['MoreDangerousData'];

/* Execute the statement */
$stmt->execute();

For the purposes of Email, you need to study examples on the internet of how to properly sanitize the input coming from the user for the purpose you wish to use it - most people use regular expressions for verifying the safety and validity of an email.

Stackoverflow can help you validate an email.

Stackoverflow can help sanitize user input, too.

Community
  • 1
  • 1
WEBjuju
  • 5,797
  • 4
  • 27
  • 36
  • 2
    Let me reiterate that the most insecure thing to do as a coding practice is to dump unclean variables into the scope using extract. If the value is still in POST, it is regarded as unsafe; period. Once you "take it out", then it should be cleaned specifically for the purpose intended. Sanitizing to send an email is different than sanitizing to produce HTML is different than sanitizing to store in a DB. There is no "one size fits all", just like you protect Credit Cards differently than you do Cash (i can selfie my benjamin franklin but not my whatsinyourwallet visa, eh?) – WEBjuju Nov 23 '16 at 18:33