4

Possible Duplicate:
PHP: the ultimate clean/secure function

I am working on an experimental social networking site in PHP. So, there will be a lot of user submitted data sent to the database.

I had coded a custom block script a while back, that would just block certain characters or keywords from being submitted. This worked, but it had it's list of problems.

I heard addslashes and mysql_real_escape_string will do this, but I don't want to do anything until I get some solid advice.

I tried addslashes, and it will add slashes to can't, don't, etc. I don't want that.

I just want my database to be safe from xss, html, php, and javascript attacks. Any advice?

Community
  • 1
  • 1
Brad45
  • 199
  • 7

4 Answers4

3
  • prepared statements from PDO
  • filter_var() functions
  • htmlspecialchars()

For people who don't know PHP or find documentation about functions:

  • prepared statements - will provide protection against SQL injections ( but not against extreme stupidity )
  • filter_var() - will let you make sure that data really us an URL or email address , etc.
  • htmlspecialchars() - converts characters like < , > and & into html entities, thus, protecting against XSS.

I really fail to see the need for explanation here.

tereško
  • 58,060
  • 25
  • 98
  • 150
3

You should HTML escape any content before outputting it back to the user. Then when it's ever outputted back it'll be safe. Use htmlspecialchars for PHP. See What are the best practices for avoiding xss attacks in a PHP site for more information and read OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet.

Community
  • 1
  • 1
WhiteFang34
  • 70,765
  • 18
  • 106
  • 111
  • Thanks, I'll read up on that. – Brad45 Apr 30 '11 at 22:36
  • 4
    -1 for suggesting to escape before storing. That has a bunch of disadvantages: Good template engines do escaping for you. This will break if your database contains already-escaped data. Additionally you'll have a problem if you ever want to display the data in a non-html environment, e.g. a (plaintext) email. – ThiefMaster Apr 30 '11 at 22:38
  • @ThiefMaster: good point, removed the line regarding escaping before going to a database. – WhiteFang34 Apr 30 '11 at 22:41
  • You still implicitly suggest to store escaped input. Only escape/encode on output. And don't use `htmlentities`, use `htmlspecialchars` instead. – Marcel Korpel Apr 30 '11 at 22:45
  • SGML-Encoding before storing it into the DB is of course not the most professional approach. But given OPs level of expertise and overview regarding use of the correct function for each task, the amateur solution *might* incidentally be the better advise here. – mario Apr 30 '11 at 22:46
2

All good answers so far, I would just like to add that you should make sure that the input data comes in the desired encoding - you should also normalize the different types of new line feeds or strip control characters altogether, I end up using the following function a lot:

function Filter($string, $control = true)
{
    $string = iconv('UTF-8', 'UTF-8//IGNORE', $string);

    if ($control === true)
    {
        return preg_replace('~\p{C}+~u', '', $string);
    }

    return preg_replace(array('~\r[\n]?~', '~[^\P{C}\t\n]+~u'), array("\n", ''), $string);
}

It will remove all invalid UTF-8 data from the string and normalize new lines. All control chars (except tab (\t) and new lines (\n)) are striped, and if $control == true these are stripped too.

PS: This is not very useful from a security standpoint of view but is helps avoiding GIGO.

Alix Axel
  • 151,645
  • 95
  • 393
  • 500
1
  1. For HTML type input use HTMLPurifier or similar to filter out unwanted markup.
  2. Validate form fields before storing the data
  3. Use prepared statements with PDO or MySQLi when writing to the database. This will take care of the SQL escaping for you, provided you bind your parameters correctly.
  4. Escape the output coming out of the DB before displaying it unless it can be considered safe.
ThiefMaster
  • 310,957
  • 84
  • 592
  • 636
prodigitalson
  • 60,050
  • 10
  • 100
  • 114