Jump to content

Help Me Sanitize


phpsane

Recommended Posts

Folks,

Someone suggested I sanitize user inputs.
I had things like this with validation but no sanitation:

$primary_website_domain_confirmation = trim($_POST["primary_website_domain_confirmation"]); 
if (!filter_var($primary_website_email,FILTER_VALIDATE_EMAIL)) { 
            echo "You entered an Invalid Email Address!"; 

Now, got to add sanitation part. So, where to add it ?
Look at tutorial examples:
https://www.tutorialrepublic.com/php-tutorial/php-form-validation.php
https://www.w3schools.com/php/func_filter_var.asp

Latter tutorial looks simpler. Let's try copying that.
Here is my attempt ..

// Remove all illegal characters from email
$primary_website_email = filter_var(trim($email, FILTER_SANITIZE_EMAIL));
//Validate Email
if (!filter_var($primary_website_email,FILTER_VALIDATE_EMAIL)) { 
            echo "You entered an Invalid Email Address!"; 

Did I fit in the SANITIZER at the right place or not ?
Anything else need to know ? Yes ?

Cheers!

Link to comment
Share on other sites

Don't sanitize by altering what the user entered. Validate, and if it's not valid then prompt the user to fix it.

Cleaning input for minor issues, like by trimming spaces, is fine when the idea is to correct mistakes that the user obviously did not intend to make. I don't mean mistakes like the user not understanding the input requirements, or even mistakes like typos. I mean mistakes like putting a space at the end of their email address: everybody knows that space shouldn't be there, and it's very likely that if there was one the user didn't know about it (if simply because spaces are invisible), so removing spaces is fine to do. However doing things like stripping "invalid" characters from email addresses is altering what that the input was, and if there were such characters then the user should be told about it so they can decide how to fix it.

  • Like 1
Link to comment
Share on other sites

7 minutes ago, requinix said:

Don't sanitize by altering what the user entered. Validate, and if it's not valid then prompt the user to fix it.

Cleaning input for minor issues, like by trimming spaces, is fine when the idea is to correct mistakes that the user obviously did not intend to make. I don't mean mistakes like the user not understanding the input requirements, or even mistakes like typos. I mean mistakes like putting a space at the end of their email address: everybody knows that space shouldn't be there, and it's very likely that if there was one the user didn't know about it (if simply because spaces are invisible), so removing spaces is fine to do. However doing things like stripping "invalid" characters from email addresses is altering what that the input was, and if there were such characters then the user should be told about it so they can decide how to fix it.

Q1.

You mean I should not SANITIZE to learn whether user deliberately inputting things wrong, like adding html or php tags to do sql injection ?

MMM. Halfway done the job.

	       $primary_website_domain = filter_var(trim($_POST["primary_website_domain"],FILTER_SANITIZE_DOMAIN); 
        $primary_website_domain_confirmation = filter_var(trim($_POST["primary_website_domain_confirmation"],FILTER_SANITIZE_DOMAIN); 
        $primary_website_email = filter_var(trim($_POST["primary_website_email"],FILTER_SANITIZE_EMAIL); 
        $primary_website_email_confirmation = filter_var(trim($_POST["primary_website_email_confirmation"],FILTER_SANITIZE_EMAIL);
	

But, in Notepad++ this ain't turning BLUE. Hence, guessing it is wrong.

FILTER_SANITIZE_DOMAIN

 

Q2.

If I should not sanitize then why they built it ? I know you objecting due to experience. So, when should I sanitize then ?

 

Q3.

Can you help me sanitize this for learning purpose ?

	$primary_website_email_extracted_domain = substr(strrchr($primary_website_email,"@"),1); 
	

 

Q4.

What problems you encountered during your sanitation period ? Anyone hacked into your servers ?

Link to comment
Share on other sites

1 minute ago, phpsane said:

You mean I should not SANITIZE to learn whether user deliberately inputting things wrong, like adding html or php tags to do sql injection ?

Why am I not surprised.

Sanitizing, validating, and escaping are three different things. Sanitizing is changing the user's input because you didn't like it. Almost always means removing characters from it. You shouldn't do this except for minor issues like spaces because you're altering what the user wrote and they won't like it. Validating is detecting whether the input looks correct and usable. It never changes the value, only examines it. Always do this. Escaping is taking some input and making sure it can't be interpreted as anything other than the plain value it is. Almost always means adding characters to it, like backslashes. Always do this.

Sanitizing and escaping can both protect you from XSS and SQL injection. Sometimes people get "sanitize" and "escape" backwards, like saying that mysqli_real_escape_string "sanitizes" the input by adding backslashes, but if you look above you'll see that sanitizing means removing and escaping means adding so what they really mean is that mysqli_real_escape_string escapes the input.

12 minutes ago, phpsane said:

But, in Notepad++ this ain't turning BLUE. Hence, guessing it is wrong.

Count your parentheses.

13 minutes ago, phpsane said:

If I should not sanitize then why they built it ? I know you objecting due to experience. So, when should I sanitize then ?

Because there are occasional times when sanitizing is the right thing to do. However the web industry has mostly decided that you should not do so with user inputs and that validation and error messages are better.

14 minutes ago, phpsane said:

Can you help me sanitize this for learning purpose ?

I don't know what you are expecting from me.

15 minutes ago, phpsane said:

What problems you encountered during your sanitation period ? Anyone hacked into your servers ?

Sanitization period?

Yes, I have accidentally written code that was susceptible to XSS or SQL injection. No, when it's happened nobody on the internet ever abused it as far as I know.

  • Like 1
Link to comment
Share on other sites

1 hour ago, requinix said:

Why am I not surprised.

Sanitizing, validating, and escaping are three different things. Sanitizing is changing the user's input because you didn't like it. Almost always means removing characters from it. You shouldn't do this except for minor issues like spaces because you're altering what the user wrote and they won't like it. Validating is detecting whether the input looks correct and usable. It never changes the value, only examines it. Always do this. Escaping is taking some input and making sure it can't be interpreted as anything other than the plain value it is. Almost always means adding characters to it, like backslashes. Always do this.

Sanitizing and escaping can both protect you from XSS and SQL injection. Sometimes people get "sanitize" and "escape" backwards, like saying that mysqli_real_escape_string "sanitizes" the input by adding backslashes, but if you look above you'll see that sanitizing means removing and escaping means adding so what they really mean is that mysqli_real_escape_string escapes the input.

Count your parentheses.

Because there are occasional times when sanitizing is the right thing to do. However the web industry has mostly decided that you should not do so with user inputs and that validation and error messages are better.

I don't know what you are expecting from me.

Sanitization period?

Yes, I have accidentally written code that was susceptible to XSS or SQL injection. No, when it's happened nobody on the internet ever abused it as far as I know.

Oh no! Then, you mean to say I messed things up now in the last hr by adding sanitization when I only had validation originally. Right ?

This is what I have done now:

regisistration.php

	        //Create Variables based on user inputs. 
        $fb_tos_agreement_reply = trim($_POST["fb_tos_agreement_reply"]); 
        $username = filter_var(trim($_POST["username"],FILTER_SANITIZE_STRING)); 
        $password = $_POST["password"]; 
        $password_confirmation = $_POST["password_confirmation"]; 
        $primary_website_domain = filter_var(trim($_POST["primary_website_domain"],FILTER_SANITIZE_DOMAIN)); 
        $primary_website_domain_confirmation = filter_var(trim($_POST["primary_website_domain_confirmation"],FILTER_SANITIZE_DOMAIN)); 
        $primary_website_email = filter_var(trim($_POST["primary_website_email"],FILTER_SANITIZE_EMAIL)); 
        $primary_website_email_confirmation = filter_var(trim($_POST["primary_website_email_confirmation"],FILTER_SANITIZE_EMAIL)); 
        $primary_website_email_extracted_domain = substr(strrchr($primary_website_email,"@"),1); 
        $age_range = filter_var(trim($_POST["age_range"],FILTER_SANITIZE_STRING)); 
        $account_activation_code = sha1( (string) mt_rand(0,99999999)); //Type Casted the INT to STRING on the 11st parameter of sha1 as it needs to be a string. 
        $account_activation_link = sprintf("http://www.%s/%s/activate_account.php?website_email=%s@account_activation_code=%s",
        $site_domain,$social_network_name,urlencode("$primary_website_email"),urlencode($account_activation_code));         
        $account_activation_status = 0; //1 = active; 0 = inactive. 
        $hashed_password = password_hash($password,PASSWORD_DEFAULT); //Encrypt the password. 
        
        if (strlen($fb_tos_agreement_reply) < 1 || $fb_tos_agreement_reply != "Yes") { 
            echo "You must agree to our <a href='tos.html'>Terms & Conditions</a>!"; 
        //Check if inputted Username is valid or not. 
        } elseif (!filter_var($username,FILTER_VALIDATE_STRING)) { 
            echo "You entered an Invalid Username!"; 
        //Check if inputted Username is between the required 8 to 30 characters long or not. 
        } elseif (strlen($username) < 8 || strlen($username) > 30) { 
            echo "Username has to be between 8 to 30 characters long!"; 
        //Check if Password is between 8 to 30 characters long or not. 
        } elseif (strlen($password) < 8 || strlen($password) > 30) { 
            echo "Password must be between 8 to 30 characters long!"; 
        //Check if both inputted Passwords match or not. 
        } elseif ($password != $password_confirmation) { 
            echo "Your entered 2 Passwords don't match!"; 
        //Check if both inputted Domains match or not. 
        } elseif ($primary_website_domain != $primary_website_domain_confirmation) { 
            echo "Your entered 2 Primary Website Domains don't match!"; 
        //Check if inputted Domain is valid or not. 
        } elseif (!filter_var($primary_website_domain,FILTER_VALIDATE_DOMAIN)) { 
            echo "You entered an Invalid Domain Name!"; 
        //Check if both Email Inputs match or not. 
        } elseif ($primary_website_email != $primary_website_email_confirmation) { 
            echo "Your 2 Email inputs don't match!"; 
        //Check if inputted Email is valid or not. 
        } elseif (!filter_var($primary_website_email,FILTER_VALIDATE_EMAIL)) { 
            echo "You entered an Invalid Email Address!";         
        //Check if inputted Domain and Email Domain match or not. 
        } elseif ($primary_website_email_extracted_domain != $primary_website_domain) { 
            echo "Your Email Address must belong to your Domain Name: \"$primary_website_domain\"!"; 
        } 
	

 

details_personal.php

	//Create Variables based on user inputs. 
        $passport_size_photoh_image = trim($_POST["passport_size_photoh_image"],FILTER_SANITIZE_STRING)); 
        $title = trim($_POST["title"]); 
        $first_name = filter_var(trim($_POST["first_name"],FILTER_SANITIZE_STRING)); 
        $middle_name = filter_var(trim($_POST["middle_name"],FILTER_SANITIZE_STRING)); 
        $surname = filter_var(trim($_POST["surname"],FILTER_SANITIZE_STRING)); 
        $gender = trim($_POST["gender"]); 
        $date_of_birth = filter_var($_POST["date_of_birth"],FILTER_SANITIZE_STRING)); 
        $skin_complexion = trim($_POST["skin_complexion"]); 
        $height = filter_var(trim($_POST["height"],FILTER_SANITIZE_STRING)); 
        $weight = filter_var(trim($_POST["weight"],FILTER_SANITIZE_STRING)); 
        $sexual_orientation = trim($_POST["sexual_orientation"]); 
        $religion = trim($_POST["religion"]); 
        $education = filter_var(trim($_POST["education"],FILTER_SANITIZE_STRING)); 
        $profession = filter_var(trim($_POST["profession"],FILTER_SANITIZE_STRING));         
        $marital_status = trim($_POST["marital_status"]); 
        $working_status = $_POST["working_status"]; 
        $bio = filter_var(trim($_POST["bio"],FILTER_SANITIZE_STRING)); 
        $password = $_POST["password"]; 
        
        //Step 3: Check Personal Details for matches against personal_details database. If no matches then validate inputs to update Personal Details.            
        
        //Select Username against personal_details tbl to see if personal details have already been submitted or not. 
        $stmt = mysqli_prepare($conn,"SELECT password WHERE username = ?"); 
        mysqli_stmt_bind_param($stmt,'s',$user); 
        mysqli_stmt_execute($stmt); 
        $result = mysqli_stmt_get_result($stmt); 
        $row = mysqli_fetch_array($result, MYSQLI_ASSOC); 
        
        //Check if Password match or not. 
        if ($row['password'] != $password) { 
            echo "Password is incorrect!"; 
        //Check if inputted First Name is valid or not. 
        } elseif (!filter_var($first_name,FILTER_VALIDATE_STRING)) { 
            echo "You entered an invalid First Name!"; 
        //Check if First Name is between the required 2 to 25 characters long or not. 
        } elseif (strlen($first_name) < 2 || strlen($first_name) > 25) { 
            echo "We don't believe you are inputting your real First Name!"; 
        //Check if inputted Surname is valid or not. 
        } elseif (!filter_var($surname,FILTER_VALIDATE_STRING)) { 
            echo "You entered an invalid Surname!";     
        //Check if Surname is between the required 2 to 25 characters long or not. 
        } elseif (strlen($surname) < 2 || strlen($surname) > 25) { 
            echo "We don't believe you are inputting your real Surname!"; 
        //Check if User selected Gender or not. 
        } elseif (empty($gender)) { 
            echo "Select your Gender!"; 
        //Check if User selected Skin Complexion or not. 
        } elseif (empty($skin_complexion)) { 
            echo "Select your Skin Complexion!"; 
        //Check if User selected Height or not. 
        } elseif (empty($height)) { 
            echo "Select your Height!"; 
        //Check if inputted Height is valid or not. 
        } elseif (!filter_var($height,FILTER_VALIDATE_STRING)) { 
            echo "You entered an invalid height!"; 
        //Check if User selected Weight or not. 
        } elseif (empty($weight)) { 
            echo "Select your Weight!"; 
        //Check if inputted Weight is valid or not. 
        } elseif (!filter_var($weight,FILTER_VALIDATE_STRING)) { 
            echo "You entered an invalid weight!"; 
        //Check if User selected Sexual Orientation or not. 
        } elseif (empty($sexual_orientation)) { 
            echo "Select your Sexual Orientation!"; 
        //Check if User selected Religion or not. 
        } elseif (empty($religion)) { 
            echo "Select your Religion!"; 
        //Check if User selected Education or not. 
        } elseif (empty($education)) { 
            echo "Select your Education!"; 
        //Check if inputted Education is valid or not. 
        } elseif (!filter_var($education,FILTER_VALIDATE_STRING)) { 
            echo "You entered an invalid Eductaion!";     
        //Check if User selected Profession or not. 
        } elseif (empty($profession)) { 
            echo "Select your Profession!"; 
        //Check if inputted Profession is valid or not. 
        } elseif (!filter_var($profession,FILTER_VALIDATE_STRING)) { 
            echo "You entered an invalid profession!";     
        //Check if User selected Marital Status or not. 
        } elseif (empty($marital_status)) { 
            echo "Select your Marital Status!"; 
        //Check if User selected Working Status or not. 
        } elseif (empty($working_status)) { 
            echo "Select your Working Status!"; 
        } 
	

I sure know how to get things messed-up! Right ?

NOTE: This ain't working: FILTER_SANITIZE_DOMAIN. Checked parenthesis. No luck. They still don't turn BLUE in Notepad++.

Link to comment
Share on other sites

So you're still using sanitization - I can tell because of all the FILTER_SANITIZE_* flags in there. Then you're adding validation?

Say you want me to enter a number. I enter "abc123". That is not a number. You sanitize it for a number by removing anything that's not a number. The result is "123". You then validate it. It says the input is valid.

I entered "abc123". You accepted it and decided to use "123". That's not how it is supposed to go.

1 minute ago, phpsane said:

I sure know how to get things messed-up! Right ?

I don't think anyone ever doubted that.

4 minutes ago, phpsane said:

This ain't working: FILTER_SANITIZE_DOMAIN.

Fix your environment so that you see all PHP errors. Because you don't have it that way. Because if you did have it that way then you would know what's wrong.

  • Like 1
Link to comment
Share on other sites

29 minutes ago, requinix said:

So you're still using sanitization - I can tell because of all the FILTER_SANITIZE_* flags in there. Then you're adding validation?

Say you want me to enter a number. I enter "abc123". That is not a number. You sanitize it for a number by removing anything that's not a number. The result is "123". You then validate it. It says the input is valid.

I entered "abc123". You accepted it and decided to use "123". That's not how it is supposed to go.

I don't think anyone ever doubted that.

Fix your environment so that you see all PHP errors. Because you don't have it that way. Because if you did have it that way then you would know what's wrong.

I get your point now.

But, look on the things I sanitized. Domain and Email.

However, you may have a point on this one:

	if (!filter_var($username,FILTER_VALIDATE_STRING))
	

But, I reckon these following are correct unless you can show me another example why they are incorrect. 

	$primary_website_domain = filter_var(trim($_POST["primary_website_domain"],FILTER_SANITIZE_DOMAIN)); 
 $primary_website_email = filter_var(trim($_POST["primary_website_email"],FILTER_SANITIZE_EMAIL)); 
	

Yes, I know Barand and you would say the VALIDATE is enough for the Domain and the Email but to gain work experience of pitfalls, I want you to trouble your intelligent pretty heads a little and show me a pitfall example on these 2 like you did with the  "abc123".

I have error reporting on. Haven't run the script yet. It's just "FILTER_SANITIZE_DOMAIN" doesn't turn BLUE like "FILTER_SANITIZE_EMAIL" does on NotePad++.

	<?php 
	//ERROR REPORTING CODES. 
declare(strict_types=1); 
ini_set('display_errors', '1'); 
ini_set('display_startup_errors', '1'); 
error_reporting(E_ALL); 
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT); 
	?> 
	

 

Edited by phpsane
Link to comment
Share on other sites

7 minutes ago, phpsane said:

But, I reckon these following are correct unless you can show me another example why they are incorrect.

I think at this point anything I say will just be rehashing the same stuff I've said before.

7 minutes ago, phpsane said:

It's just "FILTER_SANITIZE_DOMAIN" doesn't turn BLUE like "FILTER_SANITIZE_EMAIL" does on NotePad++.

Can you think of any possible reason why it might not like "FILTER_SANITIZE_DOMAIN" but has no problem with FILTER_SANITIZE_EMAIL? Any reason at all?

Link to comment
Share on other sites

1 hour ago, requinix said:

I think at this point anything I say will just be rehashing the same stuff I've said before.

Can you think of any possible reason why it might not like "FILTER_SANITIZE_DOMAIN" but has no problem with FILTER_SANITIZE_EMAIL? Any reason at all?

No such FILTER exists.

I'm only banging on about it because I thought I read on 2 tutorials it exists. Might have mistaken it for some regex I saw that grabs the domain just like regex can extract email and url. Since the FILTER_SANITIZE_EMAIL and FILTER_SANITIZE_URL exists I probably imagined I saw FILTER_SANITIZE_DOMAIN somewhere and got that img to stick to memory.

Googling for "FILTER_SANITIZE_DOMAIN" shows no links mentioning FILTER_SANITIZE_DOMAIN. Instead, if you click the NExT button to page 2 (SERP) then the keywords search or google search query auto changes from "FILTER_SANITIZE_DOMAIN" to "FILTER_SANITIZE_STRING". See for yourself.There you go, you learnt something about google tonight, just like I did!  ?

PS - Packing it for the night! Or, shall I say "sunrise" here ? Lol! Stayed-up all night. And, you may reward me for that by showing me how you would get php to check whether the user input is a valid domain or not. Thanks in advance! When I wake-up, I will start using your snippet. Regex or whatever. Make sure the snippet works, though. No misfires. Ok ? I have to learn from YOU how you validate: Domain, Subdomain, Url and Username. I know the "Username" depends on what chars I allow and so to be on safeside, what chars should I allow or disallow ?

After that. I think I will be done. And, you may close this thread. But, only after I get what I asked for. ;)

Oh! A big goodnight! Very tiring night it has been. Win10 causing trouble. Space Bar no working and so for every spaces have to click the onscreen space bar. Now, count how many threads and posts I opened and posted within 10hrs approx. Count how many words in this post alone and each time having to do this space bar clicking on onscreen keyboard! Found no solution googling for days. Been like this for 2-3mnths. Drivers re-installation no luck! What a frustration that Bill Gates causes us!

After all this suffering (space bar nonsense), never giving-up and still programming and learning. Days in and days out! I deserve a medal from php vendors. Lol! And, compensation from Billy the Goat!?

Will try this after I wakeup:

https://www.drivereasy.com/knowledge/solved-spacebar-not-working-windows-10/

Cheers Requinix! You stuck with me the whole night (approx 10hrs)!

 

Edited by phpsane
Link to comment
Share on other sites

Mmm.

After 2 nights I see no helping responses.

 

Anyway, looking at this:

http://php.net/manual/en/filter.filters.validate.php

I realize this exist:

FILTER_SANITIZE_STRING

But not this:

FILTER_VALIDATE_STRING

And, I realize this NO exist:

FILTER_SANITIZE_DOMAIN

But this DOES:

FILTER_VALIDATE_DOMAIN

 

Am I on right track ?

I thought for every SANITIZE there is a VALIDATE and vice-versa. But, I was wrong 2 nights ago to think like that. Correct ?

 

 

Edited by phpsane
Link to comment
Share on other sites

21 minutes ago, Barand said:

Have you considered that it might be a broken spacebar key contact on the keyboard? Hardware faults can happen.

Have you tried a different keyboard?

No.

Spacebar key along with others (eg, x,w,2,etc.) malfunction from time to time then few days later start working again.

Only this time Spacebar taking long time to come around again.

Right now x works but not SHIFT x (to CAPITALISE). But SHIFT T, etc. works and so SHIFT button is working. Have to press CAPS then x to CAPITALISE X.

Also, one ENTER works but not the other!

https://www.google.com/search?q=solved-spacebar-not-working-windows-10&amp;oq=solved-spacebar-not-working-windows-10&amp;aqs=chrome..69i57j69i60.3922j0j4&amp;sourceid=chrome&amp;ie=UTF-8

Edited by phpsane
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.