Practices for getting information from $_GET/$_POST and saving it to a database?

Question

What are today\'s best practises when it comes to getting information from a get/post and saving information to a database? Is data still escaped like it used to or are there ad

Answer 1

Never Save data from GET to db.

Never ever save data from GET, even if you are doing sufficient validation and escaping. GET is not supposed to change information on server.

Before changing anything on server (DB or Server File) check if request is POST or PUT or DELETE as applicable

POST is supposed to change state of the server. Hence before updating your tables or changing any file on server check if request method is post.

Validate inputs before processing

If you are expecting an integer validate that input is indeed an integer.

Escape inputs before using in db queries or adding to output

For query purposes escape the inputs and in case you are using input to be directly printed to the output then strip the slashes and sanitize it.

Use perishable tokens for POST when you have privilege of user sessions

Use access tokens in case you have user logged in and update the token every access or 5mins or so.

Use access tokens when you don't have user session

As Ankur suggested use access tokens when you don't have login session. But this is not reliable.

Answer 2

You should never assume that information from GET or POST is properly escaped, even if you do validation on your website, javascript can be disabled and requests can be manually coded to do an SQL injection attack. Use mysql_real_escape_string() when generating your query string.

http://php.net/manual/en/function.mysql-real-escape-string.php

As far as I can tell from quickly reading up on it, HTML Purifier is to parse output from WYSIWYG editors or anywhere where you're expecting proper HTML from the user. It gives you control to disallow and filter out certain things (like scripts) and makes sure all tags are properly nested and closed. It is especially important if you're dumping the HTML into your page after reading the data back from the database.

Answer 3

Never escape data into a presentation format before putting it in a database; sanitize it if appropriate, but always have the database contain the "rawest" form of the data.

Always escape data into a presentation format before displaying, unless it is certain that the data should not be escaped and that it is safe to not escape it.

Answer 4

Well it depends on what your values are and where they are coming from. The short and sweet answer is:

ESCAPE AND SANITIZE

which means make sure you put all strings in quotes and make sure you escape all special characters in user submitted strings. Type match and length check.