PHP: Best way to sanitize inputs

AzN · 07-25-2008, 11:27 AM

Been reading about mysql injections, so I'm wondering what's the best way to sanitize inputs to protect against injection in PHP?

I've read at a place converting strings into hex or base64 encoded strings can be a good alternative.

Thanks.

Barrucadu · 07-25-2008, 12:14 PM

This is the best way:

PHP Code:

  $safe = mysql_real_escape_string('blah');

You need to be connected to a MySQL server, but it works great.

AzN · 07-25-2008, 12:24 PM

Quote:

Originally Posted by Barrucadu

This is the best way:

PHP Code:

  $safe = mysql_real_escape_string('blah');

You need to be connected to a MySQL server, but it works great.

Barrucadu, I've read that mysql_real_escape_string() only adds a backslash and does not protect against everytype of sql injection, is this correct?

Just wondering what are the various options,

Thanks,
AzN

Albino · 07-25-2008, 12:38 PM

I use a variety of ones, such as :

$info = trim($info);
$info = strip_tags($info);
$info = stripslashes($info);
$info = mysql_real_escape_string($info);

nasaboy007 · 07-25-2008, 03:12 PM

this is what i use:

PHP Code:

  function sql_quote($value) {

    $value = strip_tags($value);

    if(get_magic_quotes_gpc()) {

          $value = stripslashes( $value );

    }

    //check if this function exists

    if(function_exists("mysql_real_escape_string")) {

          $value = mysql_real_escape_string( $value );

    }

    //for PHP version < 4.3.0 use addslashes

    else {

          $value = addslashes( $value );

    }

    return $value;

}

**Eric** · 07-25-2008, 03:50 PM

http://www.php.net/manual/en/securit...-injection.php

www.php.net/manual/en/intro.filter.php

Bruce_KD · 07-25-2008, 09:30 PM

The best way to prevent injection is to hack yourself (or at least think about it).
If you're expecting numerical input, don't could on a user to make it numerical.

Take a look at the following snippet:

PHP Code:

  <?php

include 'mysql_connect.php';

if ($_GET['start'] && $_GET['end']) {

  $start = mysql_real_escape_string($_GET['start']);

  $end = mysql_real_escape_string($_GET['end']);

  $query = mysql_query("Select name, rank from players where rank between $start and $end");

  while ($row = mysql_fetch_array($query, MYSQL_NUM)) 

    echo $row[0] . ": #".$row[1];

}

else 

  echo "Enter the Starting and ending ranks";

?>

This code is great right? I used mysql_real_escape_string and everything!
What happens if I enter '1' for start and '2 union Select name, password from players' for end?
I get the username and password for every entry in the table!

What did we do wrong here?
1. Obviously, we didn't use single quotes inside the mysql query. If you use single quotes surrounding every variable AND use mysql_real_escape_string, you're much safer.

2. We trusted user input. We didn't check if both $start and $end were numerical. We could have even been lazy and done $start = floor($start).
You'd be better off using is_int($start) at least is_numeric($start)

3. The code is lazy. It doesn't check if $Query actually worked, which can throw a mysql_fetch_array warning if there are no results. But this is because I was lazy writing my example, not trying to make a point.

So the whole point of this was to show you there isn't one fool-proof way to stop mysql injection. mysql_real_escape_string does not work every time.
You need to use your brain and understand how injection really works before you can defend against it.

Bruce

07-25-2008, 11:27 AM	#1 (permalink)
AzN SI: ServiceInteract Join Date: May 2006 Location: ServiceInteract Posts: 2,551 0.96 NP$ (Donate)	PHP: Best way to sanitize inputs Been reading about mysql injections, so I'm wondering what's the best way to sanitize inputs to protect against injection in PHP? I've read at a place converting strings into hex or base64 encoded strings can be a good alternative. Thanks.

07-25-2008, 12:14 PM	#2 (permalink)
Barrucadu Barru. Join Date: Aug 2005 Location: East Yorkshire, England Posts: 2,731 78.50 NP$ (Donate)	This is the best way: PHP Code: `$safe = mysql_real_escape_string('blah');` You need to be connected to a MySQL server, but it works great. __________________ Website \| Blog \| Uzbl (my branch) 9thSeptember2009.com

07-25-2008, 12:38 PM	#4 (permalink)
Albino Munky Designs Join Date: May 2005 Posts: 997 417.00 NP$ (Donate)	I use a variety of ones, such as : $info = trim($info); $info = strip_tags($info); $info = stripslashes($info); $info = mysql_real_escape_string($info); __________________ Munky Designs - Web Developers\|\| Erant - Vent Your Rage! \|\| Pow Comics - webcomic hosting + directory

07-25-2008, 03:12 PM	#5 (permalink)
nasaboy007 Senior Member Join Date: Jul 2005 Location: NJ Posts: 1,112 1,454.30 NP$ (Donate)	this is what i use: PHP Code: `function sql_quote($value) { $value = strip_tags($value); if(get_magic_quotes_gpc()) { $value = stripslashes( $value ); } //check if this function exists if(function_exists("mysql_real_escape_string")) { $value = mysql_real_escape_string( $value ); } //for PHP version < 4.3.0 use addslashes else { $value = addslashes( $value ); } return $value; }` __________________ Hacksar.com - Your source for random computer tips and tricks! MySiteMemberships.com - Keep track of your site registration information! Like my post? Rep is appreciated!

07-25-2008, 03:50 PM	#6 (permalink)
Eric NPQ's PA, Slave, and On Call Coder Technical Services Join Date: Mar 2005 Posts: 4,545 0.71 NP$ (Donate)	http://www.php.net/manual/en/securit...-injection.php www.php.net/manual/en/intro.filter.php __________________

07-25-2008, 09:30 PM	#7 (permalink)
Bruce_KD NamePros Member Join Date: Sep 2006 Posts: 87 100.00 NP$ (Donate)	The best way to prevent injection is to hack yourself (or at least think about it). If you're expecting numerical input, don't could on a user to make it numerical. Take a look at the following snippet: PHP Code: `<?php include 'mysql_connect.php'; if ($_GET['start'] && $_GET['end']) { $start = mysql_real_escape_string($_GET['start']); $end = mysql_real_escape_string($_GET['end']); $query = mysql_query("Select name, rank from players where rank between $start and $end"); while ($row = mysql_fetch_array($query, MYSQL_NUM)) echo $row[0] . ": #".$row[1]; } else echo "Enter the Starting and ending ranks"; ?>` This code is great right? I used mysql_real_escape_string and everything! What happens if I enter '1' for start and '2 union Select name, password from players' for end? I get the username and password for every entry in the table! What did we do wrong here? 1. Obviously, we didn't use single quotes inside the mysql query. If you use single quotes surrounding every variable AND use mysql_real_escape_string, you're much safer. 2. We trusted user input. We didn't check if both $start and $end were numerical. We could have even been lazy and done $start = floor($start). You'd be better off using is_int($start) at least is_numeric($start) 3. The code is lazy. It doesn't check if $Query actually worked, which can throw a mysql_fetch_array warning if there are no results. But this is because I was lazy writing my example, not trying to make a point. So the whole point of this was to show you there isn't one fool-proof way to stop mysql injection. mysql_real_escape_string does not work every time. You need to use your brain and understand how injection really works before you can defend against it. Bruce __________________ Need a CAPTCHA? www.KingdomsDivided.com

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Technical Services