stackoom
  简体   繁体   中英

Is FILTER_SANITIZE_STRING enough to avoid SQL injection and XSS attacks?

 原文  2011-06-15 08:40:16       php/ security/ xss/ sql-injection

Question

I'm using PHP 5 with SQLite 3 class and I'm wondering if using PHP built-in data filtering function with the flag FILTER_SANITIZE_STRING is enough to stop SQL injection and XSS attacks.

I know I can go grab a large ugly PHP class to filter everything but I like to keep my code as clean and as short as possible.

Please advise.

6 answers

solution1
 2 ACCPTED  2011-06-15 11:52:43

The SQLite3 class allows you to prepare statements and bind values to them. That would be the correct tool for your database queries.

As for XSS, well that is entirely unrelated to your use of SQLite.

solution2
 1  2011-06-15 13:24:45

It's never wise to use the same sanitization function for both XSS and SQLI. For XSS you can use htmlentities to filter user input before output to HTML. For SQLI on SQLite you can either use prepared statements (which is better) or use escapeString to filter user input before constructing SQL queries with them.

solution3
 0  2012-12-22 03:25:49

If you are just trying to build a simple form and dont want to introduce any heavy or even light frameworks, then go with php filters + and use PDO for the database. This should protect you from everything but cross site request forgeries.

solution4
 0  2011-06-15 09:14:53

I think its good enough to secure your string data inputs, but there are many other options available which you can choose. eg other libraries would increase your application process time but will help you to process/parse other types of data.

solution5
 0  2011-06-15 11:35:34

If you don't trust your own understanding of the security issues enough to need to ask this question, how can you trust someone here to give you a good answer?

If you go down the path of stripping out unwanted characters sooner or later you're going to be stripping out characters that users want to type. It's better to encode for the specific context that the data is used.

Check out OWASP ESAPI , it contains plenty of encoding functions. If you don't want to pull in that big of a library, check out what the functions do and copy the relevant parts to your codebase.

solution6
 0  2021-12-01 08:45:22

FILTER_SANITIZE_STRING will remove HTML tags not special characters like &. If you want to convert a special character to entity code prevent malicious users to do anything.

filter_input(INPUT_GET, 'input_name', FILTER_SANITIZE_SPECIAL_CHARS);

OR

filter_input($var_name, FILTER_SANITIZE_SPECIAL_CHARS);

If you want to encode everything it's worth using for

FILTER_SANITIZE_ENCODED

For more info: https://www.php.net/manual/en/function.filter-var.php

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question pass FILTER_SANITIZE_STRING Sanitize input with FILTER_SANITIZE_STRING good practice in mail and FILTER_SANITIZE_STRING Constant FILTER_SANITIZE_STRING is deprecated Is this string replacement enough against SQL injection attacks? What does FILTER_SANITIZE_STRING do? Sanitize $_GET parameters to avoid XSS and other attacks How to avoid SQL injection and XSS attacks when in PHP? Is “mysqli_real_escape_string” enough to avoid SQL injection or other SQL attacks? Prevent SQL injection and XSS attacks
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM