berridgeab Posted June 10, 2010 Share Posted June 10, 2010 Hi Ive spent the past 4 hours reading various forums on sanitizing user input dos and donts and im still not much clearer on what is really correct. On some websites ive got sites saying all you need is mysql_real_escape_string() and that will do the trick to prevent Injection attacks. On others they say mysql_real_escape_string() is not completely safe when used with MySQL LIKE queries as it doesn't sanitize the % and _ wildcards. Then theres other websites saying the stripslashes() / addslashes() method is better. Finally there are Websites saying I should forget the lot and move over to prepared statements PDO or MySQLi as using these methods eliminates SQL attacks 99.99% of the time. (Ive investigated this and this is currently not possible). I'm not going to post what I currently use because I will probably get laughed out of the forum (And the rest of the WWW for that matter ). Rather than asking someone for what they use to sanatize input ive put a little example here of what I think is correct, will this do the trick? //Makes Data Safe (Data is the data you want safe), Set 2nd Parameter to 1 if the data is to be used in a MySQL LIKE query function Safe($data, $Like = 0) { if (get_magic_quotes_gpc()) { $data = mysql_real_escape_string(stripslashes($data)); } else { $data = mysql_real_escape_string($data); } //If the Data is going to be used in a MySQL LIKE statement then Escape these characters as MySQL won't like them if($Like) { $data = str_replace("%", "\%", $data); $data = str_replace("_", "\_", $data); } return $data; } Quote Link to comment https://forums.phpfreaks.com/topic/204397-user-input-sanitization/ Share on other sites More sharing options...
Psycho Posted June 10, 2010 Share Posted June 10, 2010 According to the mysql documentation using addcshlashes() after using mysql_real_escape_string() is the preferred method of sanitizing for LIKE statements. However, very important, you would use the optional parameter in addcslashes() to only escape the '%' and '_' characters; $cleanValue = addcslashes(mysql_real_escape_string($userValue), “%_”) See page 78 in this document: http://dev.mysql.com/tech-resources/articles/guide-to-php-security-ch3.pdf Here is your code revised: function Safe($data, $Like=false) { if (get_magic_quotes_gpc()) { $data = stripslashes($data); } $data = mysql_real_escape_string($data); //If the Data is going to be used in a MySQL LIKE statement then Escape these characters as MySQL won't like them if($Like) { $data = addcslashes(mysql_real_escape_string($data), “%_”); } return $data; } Although, I don't know that it is even necessary to check if it is a LIKE statement. In other words, it may be valid to always escape those two values. I'm too busy to validate that right now. Quote Link to comment https://forums.phpfreaks.com/topic/204397-user-input-sanitization/#findComment-1070486 Share on other sites More sharing options...
katierosy Posted June 11, 2010 Share Posted June 11, 2010 Nonetheless to us this is correct. If like is used you are escaping %. in addtion to mysql_real_escape_string Quote Link to comment https://forums.phpfreaks.com/topic/204397-user-input-sanitization/#findComment-1070743 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.