FULL CHECKS BEFORE ADDING TO DATABASE – SQL INJECTIONS, HTML TAGS – THE LOT

[johnsmith153]

This is more of a solution. I am asking for confirmation that this is suitable and so I can go ahead and use on my new site.

 

A few answers would be great:

 

(1) Is below suitable to ensure very good security on my site? Do I need anything else?

(2) I am using <meta http-equiv="Content-Type" content="text/html;charset=utf-8" /> for ALL pages. There is a bit with htmlentities where I have selected 'UTF-8' – Is this correct?

(3) Will I be covered by people trying to enter the following?

-- (I have heard putting this can signal to end a command)

;

=

\

+

Entering char()

Using &# to display html characters

ASCII / Binary or something?

 

I cant / wont use:

mysql_real_escape_string (I am using a MySQL database, but through a web services API – so doesn't work)

stripslashes / addslashes / magic_quotes (deprecated php 6)

 

Imagine for this example a user is submitting a message to a message board. And for example's sake, a form posts the message, name of user and age of user (assume no log in – they just type in their name, age and message.)

 

I will always use fixed column names and never dynamically create them (i.e I will never use ORDER BY '$columnname' ) – however I will often use dynamic statements (i.e I WILL use - Customer LIKE '$customername')

 

PREPARE DATA TO ADD TO DATABASE

 

<?php

 

global $error_chk;

$error_chk = 0;

function checkdata($value, $valtype, $length)

{

 

global $error_chk;

 

$value = trim($value);

$value = htmlentities($value, ENT_NOQUOTES, 'UTF-8');

$value = str_replace("#", "\#", $value);

$value = str_replace("%", "\%", $value);

$value = str_replace("_", "\_", $value);

$value = str_replace("\x00", "\\x00", $value);

$value = str_replace("\n", "\\n", $value);

$value = str_replace("\r", "\\r", $value);

$value = str_replace("\\", "\\\\", $value);

$value = str_replace("'", "\'", $value);

$value = str_replace("\"", "\\\"", $value);

$value = str_replace("\x1a", "\\\x1a", $value);

 

if($valtype=="st"){if(!is_string($value)){$error_chk = 1;$value="";}}

if($valtype=="ar"){if(!is_array($value)){$error_chk = 1;$value="";}}

if($valtype=="in"){if(!is_numeric($value))

{$error_chk = 1;$value="";}else{intval($value);}}

if($valtype=="fl"){if(!is_numeric($value))

{$error_chk = 1;$value="";}else{floatval($value);}}

 

if($valtype=="st"){if(strlen($value)>$length){$error_chk=2;$value="";}}

if($valtype=="in"){$value>$length){$error_chk=2;$value="";}}

 

}

 

if($error_chk!=0)

{

echo "DONT ADD TO DB";

}

 

//Now I can do this: (I think)

//st=string in=integer etc.

$messagetoadd = checkdata($_POST['message'], 'st', 250);

$name = checkdata($_POST['name'], 'st', 16);

$age = checkdata($_POST['age'], 'in', 110);

 

?>

 

 

PREPARE DATA TO SHOW ON SCREEN TO USER

 

Reverse the above

i.e. use: html_entity_decode($value, ENT_NOQUOTES, 'UTF-8');

 

 

Thanks for any help.

[johnsmith153]

If it is too long, please just tell me if this is enough to use to validate data before inserting into database.

 

I cant / wont use mysql_real_escape_string / addslashes / magic_quotes

 

<?php

 

global $error_chk;

$error_chk = 0;

function checkdata($value, $valtype, $length)

{

 

global $error_chk;

 

$value = trim($value);

$value = htmlentities($value, ENT_NOQUOTES, 'UTF-8');

$value = str_replace("#", "\#", $value);

$value = str_replace("%", "\%", $value);

$value = str_replace("_", "\_", $value);

$value = str_replace("\x00", "\\x00", $value);

$value = str_replace("\n", "\\n", $value);

$value = str_replace("\r", "\\r", $value);

$value = str_replace("\\", "\\\\", $value);

$value = str_replace("'", "\'", $value);

$value = str_replace("\"", "\\\"", $value);

$value = str_replace("\x1a", "\\\x1a", $value);

 

if($valtype=="st"){if(!is_string($value)){$error_chk = 1;$value="";}}

if($valtype=="ar"){if(!is_array($value)){$error_chk = 1;$value="";}}

if($valtype=="in"){if(!is_numeric($value))

{$error_chk = 1;$value="";}else{intval($value);}}

if($valtype=="fl"){if(!is_numeric($value))

{$error_chk = 1;$value="";}else{floatval($value);}}

 

if($valtype=="st"){if(strlen($value)>$length){$error_chk=2;$value="";}}

if($valtype=="in"){$value>$length){$error_chk=2;$value="";}}

 

}

 

if($error_chk!=0)

{

echo "DONT ADD TO DB";

}

 

//Now I can do this: (I think)

//st=string in=integer etc.

$messagetoadd = checkdata($_POST['message'], 'st', 250);

$name = checkdata($_POST['name'], 'st', 16);

$age = checkdata($_POST['age'], 'in', 110);

 

?>

[BlueSkyIS]

I cant / wont use:

mysql_real_escape_string (I am using a MySQL database, but through a web services API – so doesn't work)

 

the use of web services API shouldn't have anything to do with it. the output of mysql_real_escape string is 100% valid SQL.

[johnsmith153]

But does my code look ok??

 

If you are right that I could get mysql_real_escape_string to work, great, but assuming not..??

 

There are obviously a lot more things to consider than just escaping.

[johnsmith153]

If anyone is interested I have had a trustworthy source confirm this is a good method.

 

I found it difficult getting the help on this, maybe it is too advanced for some php freaks forum users (no offence.)

[DarkWater]

You're welcome. =)  Have fun. 

 

(We communicated via PM for anyone who cares).