What are the best PHP input sanitizing functions?

后端 未结 13 1487
抹茶落季
抹茶落季 2020-11-21 23:31

I am trying to come up with a function that I can pass all my strings through to sanitize. So that the string that comes out of it will be safe for database insertion. But t

相关标签:
13条回答
  • 2020-11-21 23:41

    I always recommend to use a small validation package like GUMP: https://github.com/Wixel/GUMP

    Build all you basic functions arround a library like this and is is nearly impossible to forget sanitation. "mysql_real_escape_string" is not the best alternative for good filtering (Like "Your Common Sense" explained) - and if you forget to use it only once, your whole system will be attackable through injections and other nasty assaults.

    0 讨论(0)
  • 2020-11-21 23:42

    It depends on the kind of data you are using. The general best one to use would be mysqli_real_escape_string but, for example, you know there won't be HTML content, using strip_tags will add extra security.

    You can also remove characters you know shouldn't be allowed.

    0 讨论(0)
  • 2020-11-21 23:43

    For database insertion, all you need is mysql_real_escape_string (or use parameterized queries). You generally don't want to alter data before saving it, which is what would happen if you used htmlentities. That would lead to a garbled mess later on when you ran it through htmlentities again to display it somewhere on a webpage.

    Use htmlentities when you are displaying the data on a webpage somewhere.

    Somewhat related, if you are sending submitted data somewhere in an email, like with a contact form for instance, be sure to strip newlines from any data that will be used in the header (like the From: name and email address, subect, etc)

    $input = preg_replace('/\s+/', ' ', $input);
    

    If you don't do this it's just a matter of time before the spam bots find your form and abuse it, I've learned the hard way.

    0 讨论(0)
  • 2020-11-21 23:48
    function sanitize($string,$dbmin,$dbmax){
    $string = preg_replace('#[^a-z0-9]#i', '', $string); //useful for strict cleanse, alphanumeric here
    $string = mysqli_real_escape_string($con, $string); //get ready for db
    if(strlen($string) > $dbmax || strlen($string) < $dbmin){
        echo "reject_this"; exit();
        }
    return $string;
    }
    
    0 讨论(0)
  • 2020-11-21 23:49

    Database Input - How to prevent SQL Injection

    1. Check to make sure data of type integer, for example, is valid by ensuring it actually is an integer
      • In the case of non-strings you need to ensure that the data actually is the correct type
      • In the case of strings you need to make sure the string is surrounded by quotes in the query (obviously, otherwise it wouldn't even work)
    2. Enter the value into the database while avoiding SQL injection (mysql_real_escape_string or parameterized queries)
    3. When Retrieving the value from the database be sure to avoid Cross Site Scripting attacks by making sure HTML can't be injected into the page (htmlspecialchars)

    You need to escape user input before inserting or updating it into the database. Here is an older way to do it. You would want to use parameterized queries now (probably from the PDO class).

    $mysql['username'] = mysql_real_escape_string($clean['username']);
    $sql = "SELECT * FROM userlist WHERE username = '{$mysql['username']}'";
    $result = mysql_query($sql);
    

    Output from database - How to prevent XSS (Cross Site Scripting)

    Use htmlspecialchars() only when outputting data from the database. The same applies for HTML Purifier. Example:

    $html['username'] = htmlspecialchars($clean['username'])
    
    • Buy this book if you can: Essential PHP Security
    • Also read this article: Why mysql_real_escape_string is important and some gotchas

    And Finally... what you requested

    I must point out that if you use PDO objects with parameterized queries (the proper way to do it) then there really is no easy way to achieve this easily. But if you use the old 'mysql' way then this is what you would need.

    function filterThis($string) {
        return mysql_real_escape_string($string);
    }
    
    0 讨论(0)
  • 2020-11-21 23:50

    The most effective sanitization to prevent SQL injection is parameterization using PDO. Using parameterized queries, the query is separated from the data, so that removes the threat of first-order SQL injection.

    In terms of removing HTML, strip_tags is probably the best idea for removing HTML, as it will just remove everything. htmlentities does what it sounds like, so that works, too. If you need to parse which HTML to permit (that is, you want to allow some tags), you should use an mature existing parser such as HTML Purifier

    0 讨论(0)
提交回复
热议问题