Jump to content

Recommended Posts

I want to make sure that my form is not vulnerable to injection. In the process of doing so, I found the following.

 

If I do a preg_match on the data directly submitted to the form, it returns true.

 

// The form input comes from a text box that has two carriage returns
$data = $_POST['forminput'];
$checkdata = preg_match("/[\r\n]/",$data);
// output: $checkdata = true

 

 

However, if I treat the data first and then do a preg_match, it returns false.

// The form input comes from a text box that has two carriage returns
$data = $_POST[forminput];
$data = strip_tags(htmlspecialchars(mysql_real_escape_string($data)));
$checkdata = preg_match("/[\r\n]/",$data);
// output: $checkdata = false

 

In both examples, if I echo the form input, the string on the screen shows the /r/n. Why does the first example return true and the second return false?

firstly, you wont need to treat the user input until it passes your preg_match anyway. Treating it before-hand is extra work that is not needed.

 

Also, if you pasted that code from your text editor, you are missing your quotes around your index.

 

$data = $_POST['forminput']; //added quotes
$data = strip_tags(htmlspecialchars(mysql_real_escape_string($data))); //not needed
$checkdata = preg_match("/[\r\n]/",$data);
// output: $checkdata = false

As AyKay47 stated, you do not want to "treat" the data before testing it. The purpose of these "escaping" functions is to change the string in some way for a specific purpose. So, you need to understand what the functions you call are doing. And you need to call the appropriate function at the appropriate time.

 

Your code:

$data = strip_tags(htmlspecialchars(mysql_real_escape_string($data)));

 

The reason the preg_match call returns a different result, is that the string is different.

 

mysql_real_escape_string "escapes" specific characters in the string to prepare it for sending to the database. One of the characters it escapes is the newline ("\n"). So, after calling mysql_real_escape_string() there will be NO instances of CR-LF ("\r\n") in the string because a backslash has been inserted BEFORE the newline. So, it will be: "\r\\n" (the newline is escaped). (It also escapes the carriage-return, but that does not enter into the reason for the preg_match() "failure".) This function should NOT be used as a general protection function. It is intended to be used when you get ready to send data to the database server.

 

htmlspecialchars converts certain characters into HTML tags to prepare it for sending to the browser. This function should be called just before sending a string to the browser when you want the HTML to be displayed and not interpreted.

 

strip_tags removes certain HTML tags from a string. This is handy when you want to display some user-entered text but do not want any HTML to be interpreted and you don't want it displayed.

 

Calling any of these functions (as well as several others) will change the value in a variable. Since the value is different before and after the function call, tests performed against the variable may return different results.

 

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.