make safe user input?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
wurdup
Forum Commoner
Posts: 39
Joined: Thu Apr 01, 2010 11:36 am

make safe user input?

Post by wurdup »

Is mysql_real_escape_string adequate for user input for a username box using mysql? Checking other websites they state stripping tags if adequate. What's the most secure method?
Cirdan
Forum Contributor
Posts: 144
Joined: Sat Nov 01, 2008 3:20 pm

Re: make safe user input?

Post by Cirdan »

mysql_real_escape_string is really only helpful in preventing sql injections. In addition to that, you would want to check for special characters such as < and > that could lead to cross-site scripting attacks. What I would do is check for those special characters in the username and If those characters are present, return to the form as failed and ask the user to choose a different name.
wurdup
Forum Commoner
Posts: 39
Joined: Thu Apr 01, 2010 11:36 am

Re: make safe user input?

Post by wurdup »

So all input should remove tags as well?
Cirdan
Forum Contributor
Posts: 144
Joined: Sat Nov 01, 2008 3:20 pm

Re: make safe user input?

Post by Cirdan »

You could remove them, or just make them safe with htmlspecialchars(). In usernames and passwords, they should be removed. For things like blog comments, you could just use the htmlspecialchars function.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: make safe user input?

Post by Apollo »

Just keep in mind in which context you're using a particular input string.

If you're inserting it into an SQL query, you need mysql_real_escape_string (and nothing else).

If you're printing it in your HTML output, e.g. in pre-filled-in form values or just in your regular HTML, you need htmlspecialchars (and nothing else).

And if the input is a password, you should not use that specific string at all (never store passwords), but only a hash of the input string + a random salt, like sha1($password.'RaNd0mSaLt'), and compare that to wherever you store your credentials.
Post Reply