Page 1 of 1

make safe user input?

Posted: Sun Jun 13, 2010 9:00 am
by wurdup
Is mysql_real_escape_string adequate for user input for a username box using mysql? Checking other websites they state stripping tags if adequate. What's the most secure method?

Re: make safe user input?

Posted: Sun Jun 13, 2010 10:05 am
by Cirdan
mysql_real_escape_string is really only helpful in preventing sql injections. In addition to that, you would want to check for special characters such as < and > that could lead to cross-site scripting attacks. What I would do is check for those special characters in the username and If those characters are present, return to the form as failed and ask the user to choose a different name.

Re: make safe user input?

Posted: Sun Jun 13, 2010 10:20 am
by wurdup
So all input should remove tags as well?

Re: make safe user input?

Posted: Sun Jun 13, 2010 11:12 am
by Cirdan
You could remove them, or just make them safe with htmlspecialchars(). In usernames and passwords, they should be removed. For things like blog comments, you could just use the htmlspecialchars function.

Re: make safe user input?

Posted: Sun Jun 13, 2010 3:27 pm
by Apollo
Just keep in mind in which context you're using a particular input string.

If you're inserting it into an SQL query, you need mysql_real_escape_string (and nothing else).

If you're printing it in your HTML output, e.g. in pre-filled-in form values or just in your regular HTML, you need htmlspecialchars (and nothing else).

And if the input is a password, you should not use that specific string at all (never store passwords), but only a hash of the input string + a random salt, like sha1($password.'RaNd0mSaLt'), and compare that to wherever you store your credentials.