Jump to content

Best way to secure inputs


Ikerepc

Recommended Posts

Hi!

I wanna know what is the best way to secure my inputs?

Now I'm using something like this function:

public function z($var) {
        $result1 = htmlspecialchars($var);
        $result = mysqli_real_escape_string($this->conn, $result1);
        return $result;
    }

but I don't know how secure it is from all inputs... It couldn't be that with that my site is completely secure...

So I wanna know what else I should use...

I found something about PHP sanitize filters and similar... Same for mail, should I use that for e-mail, what should I use for e-mails as I think this 2 codes will brake character @ necessary for emails.

Any suggestion is welcome

Thanks

Link to comment
Share on other sites

Hello and i hope that you are having a pleasant day,

for one thing, you specify your location to be Croatia. Thus, i imagine that you want to handle languages with characters outside of ascii. Hence, utf-8 and PHP htmlentities instead of htmlspecialchars.

input is just input. input is not dangerous until it is placed in an executable state. so if you accept a username, then display that username to a screen (output), then the username must be escaped. If you execute a query to a database, then you need to use PDO and not execute the input directly in the query (so OR 1 is not executed). If you are sending mail, then you must be certain that CC is not input or it will be executed.

So, the best practice is to validate input first and foremost. Then use PDO prepared statements with emulates prepared set to false for any query against a db with this input. Then, if you plan to output the data, use htmlentities and html_entity_decode respectively to clean the code from execution. I do not filter input but i also do not output any input. I don't have a forum or any type of app that requires me to do so. I am building a member based login website but i have no desire to show your screen name for any purpose. I don't need to say Good morning, user when i can just say Good morning. I do show your screen name at a change screen name form but i use htmlentities and html_entity_decode to clean the name and i do not place the name in any name specific html tags or attributes.

i see that someone else has posted a reply. I agree that you should be using PDO.

  • Thanks 1
Link to comment
Share on other sites

Yeah, I'm building a software for practice in php and mysqli.

So I wanna know methods for max protection as it's most important thing when you are working with php. I'm building it from scratch so yeah, I'm using what I found on most of sites... And that's what I posted in first post.

 

I'm from Croatia, yes, so we have letters like č,ć,ž,đ,š... I'll check difference between those htmlentities and this what I'm using now, thanks :)

Also, because it's "software", yes, there is a lot of things that are going to database and showing on site. So I'm using this code I posded and ifs for each input to check if it's filled... Right now I'm not validating inputs, I will do that next.

Link to comment
Share on other sites

PDO is nice and easy. Here is an example using a login:

<?php
$database = 'database_name';
$host = '127.0.0.1';
$user = 'database_user_name';
$pass = 'database_user_password';
$attributes = array(
    PDO::ATTR_EMULATE_PREPARES => false,
    PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
    PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC
  );

  $dbh = new PDO("mysql:host=$host; dbname=$database; charset=utf8mb4", $user, $pass, $attributes);
  $query = 'SELECT username, password FROM users WHERE username = :PHusername';

  $stmt = $dbh->prepare($query);
  $stmt->execute(array(':PHusername' => $username));
  $result = $stmt->fetch();
    $userField = $result['username'];
    $passField = $result['password'];
    $userOutput = htmlentities($userField, ENT_QUOTES, 'UTF-8');

  $stmt->closeCursor();
  $stmt = null;
  $dbh = null;

?>

the placeholder (:PHusername) prevents the input from being executed directly in the query. You will assign this placeholder a real value during execution, in my example a $username variable representing the input named username from a login form. Also notice the double quotes in the PDO handler, which allow the values of the variable to be executed with this connection ($host, $database).

Edited by jodunno
  • Thanks 1
Link to comment
Share on other sites

1 hour ago, Ikerepc said:

Other than that what else should I use to protect inputs? Other than htmlentities?

htmlentities/htmlspecialchars are output functions. they are used when you output dynamic values in a html context (web page, email.) they are not used when data is received by a script.

  • Thanks 1
Link to comment
Share on other sites

4 hours ago, mac_gyver said:

htmlentities/htmlspecialchars are output functions. they are used when you output dynamic values in a html context (web page, email.) they are not used when data is received by a script.

Oh, and yeah, I think I started using it so 'users' can't do stupid things like using html bold in username and so. How to prevent those kind of things?...

Edited by Ikerepc
Link to comment
Share on other sites

4 hours ago, Ikerepc said:

Oh, and yeah, I think I started using it so 'users' can't do stupid things like using html bold in username and so. How to prevent those kind of things?...

If you want, you could attempt to detect the usage of common HTML tags. Then display an error message if one is detected.

Or you could just accept the input as is. Then just be sure to use something like htmlentities() before outputting the information so that the HTML tags don't get interpreted.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.