Jump to content

User Input Sanitization


berridgeab

Recommended Posts

Hi

 

Ive spent the past 4 hours reading various forums on sanitizing user input dos and donts and im still not much clearer on what is really correct.

 

On some websites ive got sites saying all you need is mysql_real_escape_string() and that will do the trick to prevent Injection attacks.

 

On others they say mysql_real_escape_string() is not completely safe when used with MySQL LIKE queries as it doesn't sanitize the % and _ wildcards.

 

Then theres other websites saying the stripslashes() / addslashes() method is better.

 

Finally there are Websites saying I should forget the lot and move over to prepared statements PDO or MySQLi as using these methods eliminates SQL attacks 99.99% of the time. (Ive investigated this and this is currently not possible).

 

I'm not going to post what I currently use because I will probably get laughed out of the forum (And the rest of the WWW for that matter  :P).

 

Rather than asking someone for what they use to sanatize input ive put a little example here of what I think is correct, will this do the trick?

 

//Makes Data Safe (Data is the data you want safe), Set 2nd Parameter to 1 if the data is to be used in a MySQL LIKE query
function Safe($data, $Like = 0)
{
	if (get_magic_quotes_gpc()) 
	{
   		 	$data = mysql_real_escape_string(stripslashes($data));
	}
	else
	{
		$data = mysql_real_escape_string($data);
	}
	//If the Data is going to be used in a MySQL LIKE statement then Escape these characters as MySQL won't like them
	if($Like)
	{
		$data = str_replace("%", "\%", $data);
		$data = str_replace("_", "\_", $data);
	}			
	return $data;
}

Link to comment
https://forums.phpfreaks.com/topic/204397-user-input-sanitization/
Share on other sites

According to the mysql documentation using addcshlashes() after using mysql_real_escape_string() is the preferred method of sanitizing for LIKE statements. However, very important, you would use the optional parameter in addcslashes() to only escape the '%' and '_' characters;

 

$cleanValue = addcslashes(mysql_real_escape_string($userValue), “%_”)

 

See page 78 in this document: http://dev.mysql.com/tech-resources/articles/guide-to-php-security-ch3.pdf

 

Here is your code revised:

function Safe($data, $Like=false)
{
    if (get_magic_quotes_gpc()) 
    {
        $data = stripslashes($data);
    }
    $data = mysql_real_escape_string($data);

    //If the Data is going to be used in a MySQL LIKE statement then Escape these characters as MySQL won't like them
    if($Like)
    {
        $data = addcslashes(mysql_real_escape_string($data), “%_”);
    }
    return $data;
}

 

Although, I don't know that it is even necessary to check if it is a LIKE statement. In other words, it may be valid to always escape those two values. I'm too busy to validate that right now.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.