Securing $_post

[AdamHull12]

Hello, 

I am quite new to the php and website scene and i am trying to find the best way to validate and sterilize my $_post the way i have come up with is 

$id = filter_var(mysql_real_escape_string($_POST['id']),FILTER_SANITIZE_NUMBER_INT);

or

 

$id = mysql_real_escape_string($_POST['id']);
$id1 = filter_var($id,FILTER_SANITIZE_NUMBER_INT);

which will be the best way to do it or is there a better way.

 

Thanks 

Edited October 4, 2014 by AdamHull12

[Ch0cu3r]

First stop using the mysql_* functions they are no longer supported. It is highly recommend you update your code to use MySQLi or PDO
 
When using user data in a query you'd not use real_escape_string instead you'd use prepared statements (see pdo or mysqli docs for info).

[Jacques1]

The first step is to stop using nonsense terms like “sterilizing”.

 

Data is not “dirty”, so it cannot be “sterilized”. By itself, data doesn't do anything. The question is what you do with it. Do you want to insert the data into an SQL query? An HTML document? A JavaScript context? A PDF? Each case requires an entirely different security strategy.

 

So any attempt of coming up with some magical universal “filter” is futile and conceptually wrong. You need to choose an appropriate solution for the specific context. For SQL queries, you either use prepared statements or manually SQL-escape the data. For an HTML context, you need HTML-escaping. To pass data to JavaScript, you use Ajax. Like I said, there is no one-size-fits all solution.

[cyberRobot]

@AdamHull12 - It might help to know more about what you're trying to do. Are you working on a form and trying to validate the input? If so, you could run $id through ctype_digit() to make sure it's a number...assuming that's what you expect. If $id turns out to be something else, you could re-display the form and show an error.

[Jacques1]

He has clearly stated what he wants to do: secure the input. And validation does not provide security at all. It's a usability feature.

[cyberRobot]

He has clearly stated what he wants to do: secure the input.

 

That doesn't necessarily mean the OP isn't looking for options. Perhaps AdamHull12 is just using "Secure" in a general sense...or maybe doesn't realize there is a difference between validating, filtering, escaping, etc.

[Strider64]

If you just want to check to see if it is a valid integer :

<?php
/* If you just want to check to see if it's a valid integer */
if (isset($_POST['id']) &&  !filter_var($_POST['id'], FILTER_VALIDATE_INT, array('min_range' => 1))) {
   echo "I'm not an integer<br>";
} elseif (isset($_POST['id'])) {
   echo 'The id is ' . $_POST['id'] . '<br>';
}

?>
<form action="" method="post">
Enter Number <input type="text" name="id" >
<input type="submit" name="submit" value="Submit">
</form>

An maybe this will clear up the confusion : http://us.php.net/manual/en/intro.filter.php

$id = filter_input(INPUT_POST, 'id', FILTER_SANITIZE_NUMBER_INT);

Edited October 8, 2014 by Strider64