blackcell Posted July 9, 2008 Share Posted July 9, 2008 What functions should be used to sterilize user submitted form data and protect against html injection, sql injection and javascript hijacking? Basically similar to a forum protection function. Thanks in advance. Quote Link to comment Share on other sites More sharing options...
p2grace Posted July 9, 2008 Share Posted July 9, 2008 mysql_real_escape_string() should account for most security Quote Link to comment Share on other sites More sharing options...
revraz Posted July 9, 2008 Share Posted July 9, 2008 If you use mysql that is. Quote Link to comment Share on other sites More sharing options...
corbin Posted July 9, 2008 Share Posted July 9, 2008 htmlentities, and a function which will escape your DB's escape character. For example, if your DB is MySQL, you will need to escape all single quotes (escaped with \). INSERT INTO table1 VALUES ('Corbin\'s Value'); If it's MSSQL, you'll need to replace all single quotes with two single quotes (' goes to '' for example). INSERT INTO table1 VALUES ('Corbin''s Value'); Quote Link to comment Share on other sites More sharing options...
p2grace Posted July 9, 2008 Share Posted July 9, 2008 addslashes() or mysql_real_escape_string() will account for the slashes for mysql. You'll have to write your own function for mssql. Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted July 9, 2008 Share Posted July 9, 2008 Remember that when inserting data to the database you ONLY want to escape the data for what is proper for the database. For example, if you are saving someone's comments to a MySQL database, then you should ONLY be calling mysql_real_escape_string() on the data BEFORE saving it to the database. When you retrieve the data from the database to display in an HTML page, then you should sanitize it for output by calling strip_tags() or htmlentities() or any other routine. Store the data as close to it's original form as possible. Only perform further sanitation when necessary. Quote Link to comment Share on other sites More sharing options...
discomatt Posted July 9, 2008 Share Posted July 9, 2008 Store the data as close to it's original form as possible. Only perform further sanitation when necessary. I disagree here. If it's user-submitted data that will never be displayed in its raw form, why spend the time to sanitize it every time the page is called? Sanitize it once and store it in the db to be more efficient. It's not like htmlentities can't be reversed or anything, if needed. Quote Link to comment Share on other sites More sharing options...
blackcell Posted July 9, 2008 Author Share Posted July 9, 2008 I basically have an almost forum system that users enter text. I want to prevent them from creating huge scrolling marquees and savascript hijacking. I used htmlentities and it seems it replaced ' with /// (not for sure). I just need to know what function to use for html to store data as close as possible and prevent malacious or annoying input. Thank for the great input guys. If you want an example of what I am sterilizing check out this thread: http://www.phpfreaks.com/forums/index.php/topic,201172.msg909800.html#msg909800 I have a function: <?php function CleanFormData($input){ $input = htmlentities($input); $input = mysql_real_escape_string()($input); return $input; } >? Should I use strip_tags()? Quote Link to comment Share on other sites More sharing options...
discomatt Posted July 9, 2008 Share Posted July 9, 2008 I like htmlentities better than strip_tags. htmlspecialchars() might work, but I like entities a bit better myself. Quote Link to comment Share on other sites More sharing options...
blackcell Posted July 9, 2008 Author Share Posted July 9, 2008 Would using both or all three be overkill or have a negative influence? Quote Link to comment Share on other sites More sharing options...
discomatt Posted July 10, 2008 Share Posted July 10, 2008 Negative effect. Test it out. Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted July 10, 2008 Share Posted July 10, 2008 Store the data as close to it's original form as possible. Only perform further sanitation when necessary. I disagree here. If it's user-submitted data that will never be displayed in its raw form, why spend the time to sanitize it every time the page is called? Sanitize it once and store it in the db to be more efficient. It's not like htmlentities can't be reversed or anything, if needed. You can't guarantee the data will never be displayed in its raw form. The only constant in software development is change and you can be sure that some day in the future you will want to change the way your software works. You also have the fact sanitizing routines not only change the raw data, but they can also increase its size beyond the capacity of the database field. Consider the following: #1 Your DB field has a width of N characters #2 The user enters N characters of data including HTML #3 Your program sanitizes by calling htmlentities() on the data before inserting into the database #4 You now try and insert N + X (where X is the number of characters added by htmlentities()) into a field N characters wide You have now irrevocably modified the original data. On top of it all you should always sanitize the data before displaying it to the user. Just because you sanitized it going in doesn't mean it's sanitized going out. How do you know someone hasn't compromised your database directly and issued their own INSERT INTO statements? You don't. Sanitize for the database going in. Sanitize for display / output only when needed. Necessary processing is not wasted processing. If you're really concerned about the performance cost, then implement a caching system. Quote Link to comment Share on other sites More sharing options...
discomatt Posted July 10, 2008 Share Posted July 10, 2008 It won't get truncated with proper validation -> If it's that important, you'll know if the data will be truncated before it is. If your database is compromised, they usually have the data they'd want to XSS to steal. Not only that, but you'd have to validate just about EVERY value coming out of your database... if you can't assume your own server is secure, you should probably be getting someone else to secure it. And htmlentities can be reversed. If you ever need the data back in it's raw form, it's done. I guess I'm just really not worried about you injecting code into my database, through means other than ones that would give you direct access to my PHP files anyways... It doesn't make sense to script so inefficiently. Quote Link to comment Share on other sites More sharing options...
blackcell Posted July 10, 2008 Author Share Posted July 10, 2008 How do i get new line and carriage returns to turn to breaks or is that a manual process? Quote Link to comment Share on other sites More sharing options...
discomatt Posted July 10, 2008 Share Posted July 10, 2008 nl2br Quote Link to comment Share on other sites More sharing options...
blackcell Posted July 11, 2008 Author Share Posted July 11, 2008 What? Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted July 11, 2008 Share Posted July 11, 2008 http://www.google.com/search?q=nl2br Quote Link to comment Share on other sites More sharing options...
auro Posted July 11, 2008 Share Posted July 11, 2008 I think the best idea is to use: if(!get_magic_quotes_gpc()){ $_GET = array_map('trim', $_GET); $_POST = array_map('trim', $_POST); $_COOKIE = array_map('trim', $_COOKIE); $_GET = array_map('addslashes', $_GET); $_POST = array_map('addslashes', $_POST); $_COOKIE = array_map('addslashes', $_COOKIE); } And when your data is to be displayed in an html page, use htmlspecialchars($text); Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.