Input Validation

[Omzy]

I've got a form with input fields and I've included the most common validation, for example strlen(), trim() and strip_tags().

 

Are there any other validation methods I should include? I am particularly trying to prevent SQL Injection attacks.

[Axeia]

Look into using prepared statement or things like mysql_real_escape().

That isn't validating though, it's sanitizing

[MadTechie]

Axeia covered the main one for SQL but for HTML injection (XSS) use htmlspecialchars()

[Omzy]

Cheers guys. Currently I've got:

 

$query="INSERT INTO table (name) VALUES (' " .strip_tags($name)). " ')";

 

So what would be best to add to this - htmlspecialchars() or mysql_real_escape_string()?

[jxrd]

Well, with strip_tags() you completely remove html tags, so there's not much point in using htmlspecialchars() as well.

 

mysql_real_escape_string is almost mandatory. If you don't use it, your query will break if you have a quote in the input. (unless magic quotes is on, but we all know that's stupid and should be turned off).

 

It also prevents sql injection, and goes one step further than addslashes(). For example, If I were to put 0x27 into your input, it would convert it to a single quote ('). addslashes wouldn't pick that up, but mysql_real_escape_string would, and escape it.

[Omzy]

Cheers for that mate. Is there any need to add any additional code to a standard delete statement:

 

$query="DELETE FROM table WHERE id='$_GET['id']'";

[jxrd]

Well, them nested single quotes will break your statement...

 

Try this

$query="DELETE FROM table WHERE id='{$_GET['id']}'";

[Omzy]

That code that I wrote above works fine though, the single quotes don't break the statement. All I'm trying to do now is make it more secure.

[jxrd]

Hmm...that's odd. I guess PHP converts $_GET['id'] before it gets to the query.

 

Forgive me

 

Well, it depends whatt he input is doing tbh...

[Omzy]

Basically the 'ID' is got from the URL construct and there is a form on the page, clicking Submit will POST that form and it gets processed in the script as:

 

if(isset($_POST['delete']))
{
$query="DELETE FROM table WHERE id='$_GET['id']'";
//run the mysql_query
}

 

So is this safe enough? All the IDs in the database are INTs, do I need to do any intval() check or anything else?

[jxrd]

Well, if I put this is the url: &id=';DELETE FROM `sometable` WHERE'1'='1

Your query would then look like this:

$query="DELETE FROM table WHERE id='';DELETE FROM `sometable` WHERE'1'='1'";

So someone could potentially truncate, dump or delete one of your tables. You need to run mysql_real_escape_string() on EVERYTHING being used with a database. That would escape all single quotes in that statement, so it would work fine.