In my first real post I wanted to talk about sanitizing PHP strings. Why? For example, you have a site where your visitor can enter their favorite ice brand. It passes this info via the URL ( ice.php?brand=icebrand )
Huh?
Now imagine what happens if the visitor loves Ben&Jerries ice, and adds that directly into the URL ( this visitor is a smart one 
) ( ice.php?brand=Ben&Jerries ). You will end up with $_GET['brand'] containing Ben, and $_GET['Jerries'] being an empty variable. This isn’t the worst thing, but it might help you understand why you ALWAYS need to sanitize user input.
Fetching email addresses
Imagine you have this SQL query that shows a user’s email address, if the username and password match.
$sql = "SELECT `email` FROM `users` WHERE `username` = '{$_POST['username']}' AND `password` = '{$_POST['password']}'";
Looks fine, right? It just input the username and password the user given. What happens if the username filled in is johndoe’ OR 1=1 – and the password something like mypassword ?
It will then by SELECT `email` FROM `users` WHERE `username` = ‘johndoe’ OR 1=1 — ‘ AND `password` = ‘mypassword’
– means the start of a comment in MySQL. So now, it will just happily return all the email addresses in your database. This could give you some real problems !
Help! The world is doomed!
No silly… Well, at least, not if you take action now. You should always clean your user input. There’s all these variables: $_GET, $_COOKIE, $_POST, $_SERVER, $_SESSION. Only $_SESSION you can trust. There are tools to alter a POST request, look up the Firefox extension “Tamper data”. A $_GET variable is even easier to modify. If you take the $_SERVER['HTTP_USER_AGENT'] for granted, you’re lost too. With some Firefox extensions, or PHP scripts, you can easily change your User Agent in something that makes the script vulnerable.
Ok, now tell me the solution
For MySQL queries, you should use the mysql_real_escape_string [link] function, which will sanitize the user input. Have a look at the examples on the page I’ve linked to.
Even more tips
Oh yes, I’m full with tips! This isn’t going to be the only post about sanitizing input. I just wanted to give you a short preview on what’s coming up next. The white list filtering approach. If you have a <select> form field, you expect to get some values in return, the ones that are in that list. But what if a user wanting to give you a headache as to where the vulnerability is, creates his own form, and sends it to the same page as you do? You get values in there that you didn’t expect nor wanted ! There’s a few ways to fix this. In a new article, coming soon.
P.S. Please, make a comment with YOUR tips, and get a mention in my next post about this topic!
Entries (RSS)
Nice article!
The mysql _real_escape_string function is very powerful.
For sanitize the user input can you also use the filter extension.
function clean($string) {
$bad = array(”>”,”<”);
for($i=0;$i<=sizeof($bad);$i++) {
$string = str_replace($bad[$i],”",$string);
}
return $string;
}
sunjester, htmlentities (with or without ENT_QUOTES) will work too. http://www.php.net/htmlentities
But your function would allow for a more dynamic approach to cleaning up the input. Thanks!
i had a more elaborate one, but simple is best.
lsx7fc1e8s3m6tev