Sterlizing Form Data

[blackcell]

What functions should be used to sterilize user submitted form data and protect against html injection, sql injection and javascript hijacking? Basically similar to a forum protection function.

 

Thanks in advance.

[p2grace]

mysql_real_escape_string() should account for most security

[revraz]

If you use mysql that is.

[corbin]

htmlentities, and a function which will escape your DB's escape character.

 

For example, if your DB is MySQL, you will need to escape all single quotes (escaped with \).  INSERT INTO table1 VALUES ('Corbin\'s Value');

If it's MSSQL, you'll need to replace all single quotes with two single quotes (' goes to '' for example).  INSERT INTO table1 VALUES ('Corbin''s Value');

[p2grace]

addslashes() or mysql_real_escape_string() will account for the slashes for mysql.  You'll have to write your own function for mssql.

[roopurt18]

Remember that when inserting data to the database you ONLY want to escape the data for what is proper for the database.  For example, if you are saving someone's comments to a MySQL database, then you should ONLY be calling mysql_real_escape_string() on the data BEFORE saving it to the database.

 

When you retrieve the data from the database to display in an HTML page, then you should sanitize it for output by calling strip_tags() or htmlentities() or any other routine.

 

Store the data as close to it's original form as possible.  Only perform further sanitation when necessary.

[discomatt]

Store the data as close to it's original form as possible.  Only perform further sanitation when necessary.

 

I disagree here. If it's user-submitted data that will never be displayed in its raw form, why spend the time to sanitize it every time the page is called? Sanitize it once and store it in the db to be more efficient. It's not like htmlentities can't be reversed or anything, if needed.

[blackcell]

I basically have an almost forum system that users enter text. I want to prevent them from creating huge scrolling marquees and savascript hijacking. I used htmlentities and it seems it replaced ' with /// (not for sure). I just need to know what function to use for html to store data as close as possible and prevent malacious or annoying input. 

 

Thank for the great input guys.

 

If you want an example of what I am sterilizing check out this thread:

http://www.phpfreaks.com/forums/index.php/topic,201172.msg909800.html#msg909800

 

I have a function:

<?php
function CleanFormData($input){
   $input = htmlentities($input);
   $input = mysql_real_escape_string()($input);
   return $input;
}
>?

Should I use strip_tags()?

[discomatt]

I like htmlentities better than strip_tags.

 

htmlspecialchars() might work, but I like entities a bit better myself.

[blackcell]

Would using both or all three be overkill or have a negative influence?

[discomatt]

Negative effect. Test it out.

[roopurt18]

Store the data as close to it's original form as possible.  Only perform further sanitation when necessary.

 

I disagree here. If it's user-submitted data that will never be displayed in its raw form, why spend the time to sanitize it every time the page is called? Sanitize it once and store it in the db to be more efficient. It's not like htmlentities can't be reversed or anything, if needed.

 

You can't guarantee the data will never be displayed in its raw form.  The only constant in software development is change and you can be sure that some day in the future you will want to change the way your software works.

 

You also have the fact sanitizing routines not only change the raw data, but they can also increase its size beyond the capacity of the database field.  Consider the following:

#1 Your DB field has a width of N characters

#2 The user enters N characters of data including HTML

#3 Your program sanitizes by calling htmlentities() on the data before inserting into the database

#4 You now try and insert N + X (where X is the number of characters added by htmlentities()) into a field N characters wide

 

You have now irrevocably modified the original data.

 

On top of it all you should always sanitize the data before displaying it to the user.  Just because you sanitized it going in doesn't mean it's sanitized going out.  How do you know someone hasn't compromised your database directly and issued their own INSERT INTO statements?  You don't.

 

Sanitize for the database going in.  Sanitize for display / output only when needed.  Necessary processing is not wasted processing.  If you're really concerned about the performance cost, then implement a caching system.

[discomatt]

It won't get truncated with proper validation -> If it's that important, you'll know if the data will be truncated before it is.

 

If your database is compromised, they usually have the data they'd want to XSS to steal. Not only that, but you'd have to validate just about EVERY value coming out of your database... if you can't assume your own server is secure, you should probably be getting someone else to secure it.

 

And htmlentities can be reversed. If you ever need the data back in it's raw form, it's done.

 

I guess I'm just really not worried about you injecting code into my database, through means other than ones that would give you direct access to my PHP files anyways... It doesn't make sense to script so inefficiently.

[blackcell]

How do i get new line and carriage returns to turn to breaks or is that a manual process?

[discomatt]

nl2br

[blackcell]

What?

[roopurt18]

http://www.google.com/search?q=nl2br

[auro]

I think the best idea is to use:

 

if(!get_magic_quotes_gpc()){
$_GET = array_map('trim', $_GET);
$_POST = array_map('trim', $_POST);
$_COOKIE = array_map('trim', $_COOKIE);

$_GET = array_map('addslashes', $_GET);
$_POST = array_map('addslashes', $_POST);
$_COOKIE = array_map('addslashes', $_COOKIE);

}

 

And when your data is to be displayed in an html page, use

 

htmlspecialchars($text);