Sanitize GET query with Apache

Question

I see there's a lot of talk here about how to go about sanitizing data. Could it be as simple as adding this rewrite rule to .htaccess?

RewriteRule ^([\w\-]+)$ index.php?page=$1

To my understanding this will allow only letters, numbers, _ and - in $1, am I right?

If you add to this usage of prepared statements for SQL queries, it should be pretty proof, is that right?

Somehow feels like too easy to be true, am I missing something, any ways to firm it up?

score 1 · Accepted Answer · edited May 23 '17 at 12:11

1

If you add to this usage of prepared statements for SQL queries, it should be pretty proof, is that right?

Not really, because your rule is too strict for most use cases. Think for example of Umlauts in string inputs. You will need to allow some non-ASCII characters for some inputs. Such data is percent encoded in URLs, so you would have to start filtering out certain characters, and even that would be useless for security. There are many, many more attack vectors than just database injections.

For all those dangers, there is no "one size fits all" sanitation method. For every scenario (Use in file names; in HTML output; in Javascript output; in E-Mails.....), there is one right way. Filtering out "invalid" characters on web server level is not really practical - for perfect security, you would have to re-create all those specific sanitation functions in Apache syntax, which is close to impossible.

See also: PHP: the ultimate clean/secure function

edited May 23 '17 at 12:11

Community

1
1

answered Jan 02 '11 at 17:50

Pekka

442,112
142
972
1,088

So what would you suggest as further safety step if we talk about usage for SQL queries - can url_decode do any good? Also about XSS through HTML output, doesn't stripping >< prevent existence of HTML? Sorry if questions sound a bit uninformed, that's exactly why I'm asking. – CodeVirtuoso Jan 02 '11 at 17:58
@Freelancer PDO's or mysqli's prepared statements are regarded as sufficient protection against injection. There is no need to do anything else. Re XSS, let me dig up a link – Pekka Jan 02 '11 at 17:59
1

@Freelancer Re XSS, running `htmlspecialchars()` on any user data before outputting it in HTML is mandatory. Here is one answer that claims that `strip_tags()` is necessary as well to protect against a rather exotic attack: http://stackoverflow.com/questions/3623236/htmlspecialchars-vs-htmlentities-when-concerned-with-xss but I'm not sure what to think of it - I personally think `htmlspecialchars()` will do. – Pekka Jan 02 '11 at 18:02

score 1 · Answer 2 · answered Jan 02 '11 at 18:01

You may want to investigate using something like mod_security if you're wanting to things at the web server level. It will help mitigate some attacks - but the ultimate level of defense will have to be done within PHP itself. There will always be an attack that will be considered "just fine" by the web server, but cause chaos in your application. No matter how well you lock down query parameters to prevent injection vulnerabilities, there'll be something you missed.

So why waste hours/days of your time coming up with the perfect RewriteRule when you can just do a simple mysql_real_escape_string() within PHP and catch everything right there?

Sanitize GET query with Apache

2 Answers2