Filtering User Input

Question

I've read quite a few q&a's on filtering user input here, but most of the time the answer is that it depends on what you're doing. Here's what I'm doing:

Data submitted via a form that will be used in a MySQL query:

function clean($field, $link)
{
    return mysql_real_escape_string($field, $link);
}

Data submitted via a form that will be displayed back on the HTML/PHP page or in an email:

function output_html($value)
{
    return stripslashes(htmlspecialchars($value));
}

Data displayed from database:

function output_db($value)
{
    return stripslashes($value);
}

Is this sufficient for my needs? Is there something I'm not considering?

Thanks!

Answer 1

Use mysql_real_escape_string() when inserting strings into SQL queries, no matter where the input comes from.

Use htmlspecialchars() or htmlentities() when inserting strings into HTML code, no matter where the input comes from.

Use urlencode() when inserting values into the query string of a URL, no matter where the values come from.

If this data comes from the user, then you should definitely do these things because there is the chance that the user is trying to do bad things. But security aside--what if you want to insert a legitimate string into a SQL query and the string just happens to have a single quote character in it? You still must escape it.

Answer 2

I would really look into using something like PDO if you are starting out. You will eventually want to migrate that way, so why not start now.

PDO will cleanse your input automatically, which is great. It will also use prepare() statements, so you are guaranteed a single query, which prevents someone attacking with a "; DROP TABLE xxx;" or such.

http://php.net/manual/en/book.pdo.php

Answer 3

When you insert data into a SQL database, you need to escape it in order to prevent SQL injections, and mysql_real_escape_string() is the right thing to use for that in mysql. You have to remember to use that for everything, though, so it's error-prone. You should instead be using something like PDO, which automatically escapes every incoming value.

Data coming out of a database does not usually need any special treatment (ie. unescaping). I don't know what you're trying to do with stripslashes() there. If it's for removing magic quotes that PHP inserted, you should be doing that where you extract user-provided values from GET/POST/etc. (or disable magic quotes completely, if you can, and don't have any other software that relies on it)

Data going out to html needs to be escaped to prevent XSS. htmlspecialchars() is the right function for that. Again, I don't know what you're trying to use stripslashes() for. And again, you need to remember to escape every value, which is error-prone. You should at least consider the benefits of using a templating engine or something else that automatically escapes all values going to html.

Answer 4

If you have the ability, I'd recommend using mysqli instead of mysql, and utilize prepared statements:

<?php
$mysqli = new mysqli("localhost", "my_user", "my_password", "world");

/* check connection */
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}

$city = "Amersfoort";

/* create a prepared statement */
if ($stmt = $mysqli->prepare("SELECT District FROM City WHERE Name=?")) {

    /* bind parameters for markers */
    $stmt->bind_param("s", $city);

    /* execute query */
    $stmt->execute();

    /* bind result variables */
    $stmt->bind_result($district);

    /* fetch value */
    $stmt->fetch();

    printf("%s is in district %s\n", $city, $district);

    /* close statement */
   $stmt->close();
}

/* close connection */
$mysqli->close();
?>

Source: http://php.net/manual/en/mysqli.prepare.php

This provides basic type checking and does escaping for you. I would not recommend stripslashes on outputting db data because:

1. DB data can have slashes in them
2. The database unescapes for you anyways

With regards to showing HTML, there is also htmlstriptags which can strip out people trying to be cute with tags and the like.

Answer 5

i will recommend you to use the filters introduced in php 5.2 they are great and saves you lots of lines of validation and sanatization of data. check here

filter_input