0

Is it okay to employ a function that sanitizes the incoming inputs due to a form submission or any other request. It is time saving but the question of effectivenss and efficiency still haunts me. For instance, 

   function clearSpecialChars($str)
   {
     $str=htmlentities($str);
     $str=strip_tags($str);
     $str=mysql_real_escape_string($str);

     return $str;
   }

so that when I get a form submission I do:

    $username=clearSpecialChars($_REQUEST['username']);

    $email=clearSpecialChars($_REQUEST['email']);

Fundamentally, I am not desiring any html inputs from the user.

jmishra
  • 2,086
  • 2
  • 24
  • 38
  • One size never fits all. This is just an attempt to be lazy. – Cheekysoft Jan 10 '12 at 09:35
  • I don't get it. You mean the above is more vulnerable than using them step by step? – jmishra Jan 10 '12 at 09:36
  • One attempts to approach the vulnerability of SQL injection, the other attempts to approach the vulnerability of cross-site scripting (although both each fail to succeed in their tasks, if not used extremely carefully - and usually in combination with other tools). They should *never* be used in sequence anywhere as they have nothing to do with each other. – Cheekysoft Jan 10 '12 at 09:42
  • Some kind related question: [Are these two functions overkill for sanitization?](http://stackoverflow.com/q/2940030/53114) – Gumbo Jan 10 '12 at 09:46
  • thanks Gumbo. I would have never thought overkill as a term for that :) – jmishra Jan 10 '12 at 09:47

2 Answers2

2

each function serves its own purpose, you shouldn't use any function not for their intended use.

  1. you should use mysql_real_escape_string before using the parameter in mysql query.
  2. you should use htmlspecialchars before outputting to page.

that's about it.

Orentet
  • 2,353
  • 1
  • 17
  • 28
  • Please *don't* ever use `mysql_real_escape_string()` unless it really is your very last option --it is too easy to misuse it and end up vulnerable to SQL injection, or use it in a vulnerable configuration. Please try and use parameterised queries instead in something like the `mysqli` or `PDO` libraries. – Cheekysoft Jan 10 '12 at 09:38
  • what do you mean "too easy to misuse"? – Orentet Jan 10 '12 at 09:40
  • `$sql = "select * from users where id=" + mysql_real_escape_string( $_POST['userid'] );` One horribly common example; SQL injection right there. – Cheekysoft Jan 10 '12 at 09:43
0

Yes, you can create a simple function to sanitize a value before use it. I use a function like that:

function sanitize($value)
{
    return htmlentities(addslashes($value));
}

Which escape ' and " and convert all applicable character in html entities. Mine is more complicated with other option, but you can begin from it.

Marco Pace
  • 3,820
  • 19
  • 38
  • fyi: This doesn't htmlencode single-quotes, so it is vulnerable to XSS when the injection context is inside a HTML tag, but not inside a double-quoted attribute value. Other weaknesses also exist such as multi-byte attacks (as charsets are not considered) and some browser-specific syntax exploits. – Cheekysoft Jan 10 '12 at 11:07
  • Yeah, so I said that I use a more complicated function. I thought that he want to know how to use some different function in a simple way, it is difficult so speak about security problems in a single answer ;) – Marco Pace Jan 10 '12 at 11:15
  • It sure is. I think the main thing for the reader to take away from this is that any methodology is only designed to work in a particular set of places. When considering injection vulnerabilities, it is just as important to think about **where** in the syntax/structure of the output you are injecting strings, as it is to consider **how** to perform output-encoding - giant tip: output encoding is location-dependent. (and to also consider where one should avoid ever injecting into) – Cheekysoft Jan 10 '12 at 13:48
  • Yeah I agree with you, but there are some method that can be called together. For example when I receive some input data, I apply a single method on the array and the method loops through the array to sanitize - or better to do a simple initial sanitize - all input. Then I work in different way for different value, using token session for form, check on id, check on data without html, check for CSRF - and so on. – Marco Pace Jan 10 '12 at 14:15
  • Be sure to do all your initial input validation and reject duff data before you transform it in this way. Then please be sure that you can only use these pre-transformed forms of the data in the locations for which you have transformed them. Don't try and use the data you beleive to be clean in, say, a PDF document, output data-file, or a email header or some other file format or in a different location of a HTML document you have not considered. Also, be careful not to store the pre-transformed data on your db, you will eventually run into problems if you don't store the original data. – Cheekysoft Jan 10 '12 at 14:47