Jump to content

User Input Sanitization

berridgeab

By berridgeab
in PHP Coding Help

 Share

Recommended Posts

berridgeab Member

berridgeab

Posted
Posted

Hi

 

Ive spent the past 4 hours reading various forums on sanitizing user input dos and donts and im still not much clearer on what is really correct.

 

On some websites ive got sites saying all you need is mysql_real_escape_string() and that will do the trick to prevent Injection attacks.

 

On others they say mysql_real_escape_string() is not completely safe when used with MySQL LIKE queries as it doesn't sanitize the % and _ wildcards.

 

Then theres other websites saying the stripslashes() / addslashes() method is better.

 

Finally there are Websites saying I should forget the lot and move over to prepared statements PDO or MySQLi as using these methods eliminates SQL attacks 99.99% of the time. (Ive investigated this and this is currently not possible).

 

I'm not going to post what I currently use because I will probably get laughed out of the forum (And the rest of the WWW for that matter  :P).

 

Rather than asking someone for what they use to sanatize input ive put a little example here of what I think is correct, will this do the trick?

 

//Makes Data Safe (Data is the data you want safe), Set 2nd Parameter to 1 if the data is to be used in a MySQL LIKE query
function Safe($data, $Like = 0)
{
	if (get_magic_quotes_gpc()) 
	{
   		 	$data = mysql_real_escape_string(stripslashes($data));
	}
	else
	{
		$data = mysql_real_escape_string($data);
	}
	//If the Data is going to be used in a MySQL LIKE statement then Escape these characters as MySQL won't like them
	if($Like)
	{
		$data = str_replace("%", "\%", $data);
		$data = str_replace("_", "\_", $data);
	}			
	return $data;
}

Link to comment
Share on other sites
Psycho Prolific Member

Psycho

Posted
Posted

According to the mysql documentation using addcshlashes() after using mysql_real_escape_string() is the preferred method of sanitizing for LIKE statements. However, very important, you would use the optional parameter in addcslashes() to only escape the '%' and '_' characters;

 

$cleanValue = addcslashes(mysql_real_escape_string($userValue), “%_”)

 

See page 78 in this document: http://dev.mysql.com/tech-resources/articles/guide-to-php-security-ch3.pdf

 

Here is your code revised:

function Safe($data, $Like=false)
{
    if (get_magic_quotes_gpc()) 
    {
        $data = stripslashes($data);
    }
    $data = mysql_real_escape_string($data);

    //If the Data is going to be used in a MySQL LIKE statement then Escape these characters as MySQL won't like them
    if($Like)
    {
        $data = addcslashes(mysql_real_escape_string($data), “%_”);
    }
    return $data;
}

 

Although, I don't know that it is even necessary to check if it is a LIKE statement. In other words, it may be valid to always escape those two values. I'm too busy to validate that right now.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.