PHP: Best way to sanitize inputs

[AzN]

Been reading about mysql injections, so I'm wondering what's the best way to sanitize inputs to protect against injection in PHP?

I've read at a place converting strings into hex or base64 encoded strings can be a good alternative.

Thanks.

 

[Barrucadu]

This is the best way:

$safe = mysql_real_escape_string('blah');

You need to be connected to a MySQL server, but it works great.

 

[AzN]

This is the best way:

$safe = mysql_real_escape_string('blah');

You need to be connected to a MySQL server, but it works great.

Barrucadu, I've read that mysql_real_escape_string() only adds a backslash and does not protect against everytype of sql injection, is this correct?

Just wondering what are the various options,

Thanks,
AzN

 

[Albino]

I use a variety of ones, such as :

$info = trim($info);
$info = strip_tags($info);
$info = stripslashes($info);
$info = mysql_real_escape_string($info);

 

[nasaboy007]

this is what i use:

function sql_quote($value) {
	$value = strip_tags($value);
    if(get_magic_quotes_gpc()) {
          $value = stripslashes( $value );
    }
    //check if this function exists
    if(function_exists("mysql_real_escape_string")) {
          $value = mysql_real_escape_string( $value );
    }
    //for PHP version < 4.3.0 use addslashes
    else {
	      $value = addslashes( $value );
    }
    return $value;
}

 

[Eric]

www.php.net/manual/en/security.database.sql-injection.php

www.php.net/manual/en/intro.filter.php

 

[Bruce_KD]

The best way to prevent injection is to hack yourself (or at least think about it).
If you're expecting numerical input, don't could on a user to make it numerical.

Take a look at the following snippet:

<?php
include 'mysql_connect.php';
if ($_GET['start'] && $_GET['end']) {
  $start = mysql_real_escape_string($_GET['start']);
  $end = mysql_real_escape_string($_GET['end']);
  $query = mysql_query("Select name, rank from players where rank between $start and $end");
  while ($row = mysql_fetch_array($query, MYSQL_NUM)) 
    echo $row[0] . ": #".$row[1];
}
else 
  echo "Enter the Starting and ending ranks";
?>

This code is great right? I used mysql_real_escape_string and everything!
What happens if I enter '1' for start and '2 union Select name, password from players' for end?
I get the username and password for every entry in the table!

What did we do wrong here?
1. Obviously, we didn't use single quotes inside the mysql query. If you use single quotes surrounding every variable AND use mysql_real_escape_string, you're much safer.

2. We trusted user input. We didn't check if both $start and $end were numerical. We could have even been lazy and done $start = floor($start).
You'd be better off using is_int($start) at least is_numeric($start)

3. The code is lazy. It doesn't check if $Query actually worked, which can throw a mysql_fetch_array warning if there are no results. But this is because I was lazy writing my example, not trying to make a point.


So the whole point of this was to show you there isn't one fool-proof way to stop mysql injection. mysql_real_escape_string does not work every time.
You need to use your brain and understand how injection really works before you can defend against it.


Bruce