Best way to secure inputs

[Ikerepc]

Hi!

I wanna know what is the best way to secure my inputs?

Now I'm using something like this function:

public function z($var) {
        $result1 = htmlspecialchars($var);
        $result = mysqli_real_escape_string($this->conn, $result1);
        return $result;
    }

but I don't know how secure it is from all inputs... It couldn't be that with that my site is completely secure...

So I wanna know what else I should use...

I found something about PHP sanitize filters and similar... Same for mail, should I use that for e-mail, what should I use for e-mails as I think this 2 codes will brake character @ necessary for emails.

Any suggestion is welcome

Thanks

[gw1500se]

What you posted has nothing to do with securing your web site. Validate the data first. Then use prepared statements.

[jodunno]

Hello and i hope that you are having a pleasant day,

for one thing, you specify your location to be Croatia. Thus, i imagine that you want to handle languages with characters outside of ascii. Hence, utf-8 and PHP htmlentities instead of htmlspecialchars.

input is just input. input is not dangerous until it is placed in an executable state. so if you accept a username, then display that username to a screen (output), then the username must be escaped. If you execute a query to a database, then you need to use PDO and not execute the input directly in the query (so OR 1 is not executed). If you are sending mail, then you must be certain that CC is not input or it will be executed.

So, the best practice is to validate input first and foremost. Then use PDO prepared statements with emulates prepared set to false for any query against a db with this input. Then, if you plan to output the data, use htmlentities and html_entity_decode respectively to clean the code from execution. I do not filter input but i also do not output any input. I don't have a forum or any type of app that requires me to do so. I am building a member based login website but i have no desire to show your screen name for any purpose. I don't need to say Good morning, user when i can just say Good morning. I do show your screen name at a change screen name form but i use htmlentities and html_entity_decode to clean the name and i do not place the name in any name specific html tags or attributes.

i see that someone else has posted a reply. I agree that you should be using PDO.

[NotionCommotion]

Totally agree with prepared statements.  Also, don't try to do you own "custom" protection thinking that it will be safer because it is just your own and not typically.  In addition, look at https://www.owasp.org/index.php/Web_Application_Security_Guidance

[Ikerepc]

Yeah, I'm building a software for practice in php and mysqli.

So I wanna know methods for max protection as it's most important thing when you are working with php. I'm building it from scratch so yeah, I'm using what I found on most of sites... And that's what I posted in first post.

 

I'm from Croatia, yes, so we have letters like č,ć,ž,đ,š... I'll check difference between those htmlentities and this what I'm using now, thanks :)

Also, because it's "software", yes, there is a lot of things that are going to database and showing on site. So I'm using this code I posded and ifs for each input to check if it's filled... Right now I'm not validating inputs, I will do that next.

[jodunno]

PDO is nice and easy. Here is an example using a login:

<?php
$database = 'database_name';
$host = '127.0.0.1';
$user = 'database_user_name';
$pass = 'database_user_password';
$attributes = array(
    PDO::ATTR_EMULATE_PREPARES => false,
    PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
    PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC
  );

  $dbh = new PDO("mysql:host=$host; dbname=$database; charset=utf8mb4", $user, $pass, $attributes);
  $query = 'SELECT username, password FROM users WHERE username = :PHusername';

  $stmt = $dbh->prepare($query);
  $stmt->execute(array(':PHusername' => $username));
  $result = $stmt->fetch();
    $userField = $result['username'];
    $passField = $result['password'];
    $userOutput = htmlentities($userField, ENT_QUOTES, 'UTF-8');

  $stmt->closeCursor();
  $stmt = null;
  $dbh = null;

?>

the placeholder (:PHusername) prevents the input from being executed directly in the query. You will assign this placeholder a real value during execution, in my example a $username variable representing the input named username from a login form. Also notice the double quotes in the PDO handler, which allow the values of the variable to be executed with this connection ($host, $database).

Edited April 9, 2019 by jodunno

[gw1500se]

I agree that PDO is the better approach, although that statement could start a religious war. ? While mysqli is OK, PDO is generic in that the base code can support database engines other than MySQL with no changes.

[Ikerepc]

Thanks, I'm gonna try PDO...

Other than that what else should I use to protect inputs? Other than htmlentities?

Also, what for email input?

[gw1500se]

Prepared statements and validating input is sufficient. Htmlentities does nothing for security. Email input is much less of a risk since it does not, normally, require database access with user input. Use PHPMailer for your email.

[mac_gyver]

1 hour ago, Ikerepc said:

Other than that what else should I use to protect inputs? Other than htmlentities?

htmlentities/htmlspecialchars are output functions. they are used when you output dynamic values in a html context (web page, email.) they are not used when data is received by a script.

[Ikerepc]

Thanks you all

[Ikerepc]

4 hours ago, mac_gyver said:

htmlentities/htmlspecialchars are output functions. they are used when you output dynamic values in a html context (web page, email.) they are not used when data is received by a script.

Oh, and yeah, I think I started using it so 'users' can't do stupid things like using html bold in username and so. How to prevent those kind of things?...

Edited April 9, 2019 by Ikerepc

[Ikerepc]

Oh, yeah, I could use that for output lol, sorry, I needed some time to figure it out...

[cyberRobot]

4 hours ago, Ikerepc said:

Oh, and yeah, I think I started using it so 'users' can't do stupid things like using html bold in username and so. How to prevent those kind of things?...

If you want, you could attempt to detect the usage of common HTML tags. Then display an error message if one is detected.

Or you could just accept the input as is. Then just be sure to use something like htmlentities() before outputting the information so that the HTML tags don't get interpreted.