PHP: Best way to sanitize inputs

AzN · 07-25-2008, 12:27 PM

Been reading about mysql injections, so I'm wondering what's the best way to sanitize inputs to protect against injection in PHP?

I've read at a place converting strings into hex or base64 encoded strings can be a good alternative.

Thanks.

Barrucadu · 07-25-2008, 01:14 PM

This is the best way:

PHP Code:

  $safe = mysql_real_escape_string('blah'); 

????: NamePros.com http://www.namepros.com/programming/496674-php-best-way-to-sanitize-inputs.html

You need to be connected to a MySQL server, but it works great.

AzN · 07-25-2008, 01:24 PM

Originally Posted by Barrucadu

This is the best way:
????: NamePros.com http://www.namepros.com/showthread.php?t=496674

PHP Code:

  $safe = mysql_real_escape_string('blah');

You need to be connected to a MySQL server, but it works great.

Barrucadu, I've read that mysql_real_escape_string() only adds a backslash and does not protect against everytype of sql injection, is this correct?

Just wondering what are the various options,

Thanks,
AzN

Albino · 07-25-2008, 01:38 PM

I use a variety of ones, such as :

$info = trim($info);
$info = strip_tags($info);
$info = stripslashes($info);
$info = mysql_real_escape_string($info);

nasaboy007 · 07-25-2008, 04:12 PM

this is what i use:

PHP Code:

  function sql_quote($value) {

    $value = strip_tags($value);

    if(get_magic_quotes_gpc()) {

          $value = stripslashes( $value );

????: NamePros.com http://www.namepros.com/showthread.php?t=496674
    }

    //check if this function exists

    if(function_exists("mysql_real_escape_string")) {

          $value = mysql_real_escape_string( $value );

    }

    //for PHP version < 4.3.0 use addslashes

    else {

          $value = addslashes( $value );

    }

    return $value;

}

Eric · 07-25-2008, 04:50 PM

http://www.php.net/manual/en/securit...-injection.php

www.php.net/manual/en/intro.filter.php

Bruce_KD · 07-25-2008, 10:30 PM

The best way to prevent injection is to hack yourself (or at least think about it).
If you're expecting numerical input, don't could on a user to make it numerical.

Take a look at the following snippet:

PHP Code:

  <?php

????: NamePros.com http://www.namepros.com/showthread.php?t=496674
include 'mysql_connect.php';

if ($_GET['start'] && $_GET['end']) {

  $start = mysql_real_escape_string($_GET['start']);

  $end = mysql_real_escape_string($_GET['end']);

  $query = mysql_query("Select name, rank from players where rank between $start and $end");

  while ($row = mysql_fetch_array($query, MYSQL_NUM)) 

????: NamePros.com http://www.namepros.com/showthread.php?t=496674
    echo $row[0] . ": #".$row[1];

}

else 

  echo "Enter the Starting and ending ranks";

?>

This code is great right? I used mysql_real_escape_string and everything!
What happens if I enter '1' for start and '2 union Select name, password from players' for end?
I get the username and password for every entry in the table!

What did we do wrong here?
1. Obviously, we didn't use single quotes inside the mysql query. If you use single quotes surrounding every variable AND use mysql_real_escape_string, you're much safer.

2. We trusted user input. We didn't check if both $start and $end were numerical. We could have even been lazy and done $start = floor($start).
You'd be better off using is_int($start) at least is_numeric($start)

3. The code is lazy. It doesn't check if $Query actually worked, which can throw a mysql_fetch_array warning if there are no results. But this is because I was lazy writing my example, not trying to make a point.

So the whole point of this was to show you there isn't one fool-proof way to stop mysql injection. mysql_real_escape_string does not work every time.
You need to use your brain and understand how injection really works before you can defend against it.

Bruce

07-25-2008, 12:27 PM	THREAD STARTER #1 (permalink)
AzN is on hiatus Join Date: May 2006 Posts: 2,453	PHP: Best way to sanitize inputs Been reading about mysql injections, so I'm wondering what's the best way to sanitize inputs to protect against injection in PHP? I've read at a place converting strings into hex or base64 encoded strings can be a good alternative. Thanks. __________________ Currently on hiatus. Back whenever.

07-25-2008, 01:14 PM	#2 (permalink)
Barrucadu Senior Member Join Date: Aug 2005 Location: East Yorkshire, England Posts: 2,689 Follow @barrucadu	This is the best way: PHP Code: `$safe = mysql_real_escape_string('blah'); ????: NamePros.com http://www.namepros.com/programming/496674-php-best-way-to-sanitize-inputs.html` You need to be connected to a MySQL server, but it works great. __________________ Website \| Blog Arch Hurd developer; GNU Webmaster; FSF member #8385

07-25-2008, 01:38 PM	#4 (permalink)
Albino Munky Designs Join Date: May 2005 Posts: 996	I use a variety of ones, such as : $info = trim($info); $info = strip_tags($info); $info = stripslashes($info); $info = mysql_real_escape_string($info); __________________ Toddish.co.uk - Portfolio/Blog Powcomics.com - Webcomic Hosting/Directory Erant.co.uk - vent your rage!

07-25-2008, 04:12 PM	#5 (permalink)
nasaboy007 Senior Member Join Date: Jul 2005 Location: NJ Posts: 1,219	this is what i use: PHP Code: function sql_quote($value) { $value = strip_tags($value); if(get_magic_quotes_gpc()) { $value = stripslashes( $value ); ????: NamePros.com http://www.namepros.com/showthread.php?t=496674 } //check if this function exists if(function_exists("mysql_real_escape_string")) { $value = mysql_real_escape_string( $value ); } //for PHP version < 4.3.0 use addslashes else { $value = addslashes( $value ); } return $value; } __________________ Hacksar.com - Your source for random computer tips and tricks! MySiteMemberships.com - Keep track of your site registration information! Like my post? Rep is appreciated!

07-25-2008, 10:30 PM	#7 (permalink)
Bruce_KD NamePros Member Join Date: Sep 2006 Posts: 99	The best way to prevent injection is to hack yourself (or at least think about it). If you're expecting numerical input, don't could on a user to make it numerical. Take a look at the following snippet: PHP Code: <?php ????: NamePros.com http://www.namepros.com/showthread.php?t=496674 include 'mysql_connect.php'; if ($_GET['start'] && $_GET['end']) { $start = mysql_real_escape_string($_GET['start']); $end = mysql_real_escape_string($_GET['end']); $query = mysql_query("Select name, rank from players where rank between $start and $end"); while ($row = mysql_fetch_array($query, MYSQL_NUM)) ????: NamePros.com http://www.namepros.com/showthread.php?t=496674 echo $row[0] . ": #".$row[1]; } else echo "Enter the Starting and ending ranks"; ?> This code is great right? I used mysql_real_escape_string and everything! What happens if I enter '1' for start and '2 union Select name, password from players' for end? I get the username and password for every entry in the table! What did we do wrong here? 1. Obviously, we didn't use single quotes inside the mysql query. If you use single quotes surrounding every variable AND use mysql_real_escape_string, you're much safer. 2. We trusted user input. We didn't check if both $start and $end were numerical. We could have even been lazy and done $start = floor($start). You'd be better off using is_int($start) at least is_numeric($start) 3. The code is lazy. It doesn't check if $Query actually worked, which can throw a mysql_fetch_array warning if there are no results. But this is because I was lazy writing my example, not trying to make a point. So the whole point of this was to show you there isn't one fool-proof way to stop mysql injection. mysql_real_escape_string does not work every time. You need to use your brain and understand how injection really works before you can defend against it. Bruce __________________ Need a CAPTCHA? www.KingdomsDivided.com

07-25-2008, 04:50 PM	#6 (permalink)
Eric Senior Member Join Date: Mar 2005 Posts: 4,948	http://www.php.net/manual/en/securit...-injection.php www.php.net/manual/en/intro.filter.php

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)