过滤表单输入

Question

I have a simple contact form with name, email, a select list, and textarea. In my mailer php script I'm trying to add a simple filter to prevent SQL injection or other forms of hacking.

For example, I'm using

$name = filter_input(INPUT_POST, 'name', FILTER_SANITIZE_SPECIAL_CHARS);

Is this good?

Answer 1

Firstly let me tell you that about 85% of protection methods are done with 2 functions.

• htmlspecialchars
• mysql_real_escape_string

Firstly if someone sends some data to your site such as $_POST['name'] , and you wish to use this value back on html side such as <p>The following string: {$_POST['name']} is invalid</p> then you should ALWAYS make sure that that value has been through htmlspecialchars , this will protect most of XSS Attempts

Next is injection, if the value of $_POST['name'] is going into your database just make sure that you use mysql_real_escape_string on that value.

that will give you 100% protection from sql injection, but all that means is your db cannot run commands from the user, that dont mean that the text is what it should be.

The functions that you should always use before inserting data into your database are

• empty() or isset()
• trim()
• strlen()
• preg_match()
• filter_var and filter_input

This is called Validation and is only needed for yout to make sure the data the user is submitting is what you want such as filter_var would be used to validate that the email they entered is an email and not just some blah blah

What i usually tent do do is to run a clean function to make sure that all imputed data is clean with htmlspecialchars

example:

function clean($array)
{
    foreach($array as $key => $val)
    {
        if(is_array($val))
        {
            $array[$key] = clean($val); //Recursive 
        }else
        {
            $array[$key] = htmlspecialchars($val, ENT_QUOTES);
        }
    }
    return $array;
}

Then do the following to make sure that your safe from XSS:

$_GET = clean($_GET);
$_POST = clean($_POST);

So if someone tried to submit <a href='test'>Test</a> then the value would be converted to <a href='test'>Test</a&gt

Answer 2

FILTER_SANITIZE_SPECIAL_CHARS does HTML-escape '"<>& and characters with ASCII value less than 32. To have an full equivalent for htmlspecialchars() , use FILTER_SANITIZE_FULL_SPECIAL_CHARS which is equivalent to calling htmlspecialchars() with ENT_QUOTES set. Using this function should make the use of mysql_real_escape_string() obsolete, but safety first :)

see also: http://php.net/manual/en/filter.filters.sanitize.php for more information.

Answer 3

To test the effectiveness, try attacking your own site with SQL injection attacks. Basically, try passing strings like ' || 1=1 ' || 1=1 and see if you get an error. If you get an error, or if you get an unexpected result, your site is open to attacks. Otherwise, it is probably working; but to be sure, make sure you do lots of testing.

Answer 4

The better option is to use the mysqli extensions and prepared statements. However, there does exist the mysql_real_escape_string() function which specifically "escapes special characters in a string for use in an SQL statement".