Easy Catch-All Sanitizer
Moderator: General Moderators
Easy Catch-All Sanitizer
I'm aware of the need for sanitizing any user inputs through post and get - is there a good way to sanitize all the $_POST and $_GET variables, for example, at the start of each page by default? Or would it be a little more involved since some of the post variables might be arrays...? Or should I just give up on this and take the time to sanitize every post and get I use?
Re: Easy Catch-All Sanitizer
They did this - it's called magic quotes. And now it's removed in PHP 6 cause it was a pile of <span style='color:blue' title='I'm naughty, are you naughty?'>smurf</span>. 
Presuming that you want all data escaped in the same way is a large (and usually WRONG) assumption.
I personally escape/validate stuff as I require it. Up to you though. But yeah, if you do decide to take the easy way, you might want to look into array_map() and array_walk() and stuff like that.
Presuming that you want all data escaped in the same way is a large (and usually WRONG) assumption.
I personally escape/validate stuff as I require it. Up to you though. But yeah, if you do decide to take the easy way, you might want to look into array_map() and array_walk() and stuff like that.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Easy Catch-All Sanitizer
Input can be used for so many different purposes that there is no way to automatically make it cleansed. Data must be handled before it enters another context (e.g. a database) and after it has been used in the current context (a PHP script). After you have cleansed a variable, you may only push it to the output or discard it, you may not use it in the current context any longer (or you need to cleanse it again and that might corrupt some data).
Forget that "easy catch-all sanitizer", it only works in your wettest dreams.
Forget that "easy catch-all sanitizer", it only works in your wettest dreams.
Re: Easy Catch-All Sanitizer
Alright, I've thrown that idea out. I've done some searching and found that htmlentities is good for output escaping, and mysql_real_escape_string is good for, obviously, esacping mysql queries. Most of what I found wouldn't go very far into what to do for securing, I'm guessing since it's such a big topic and I'm sure lots of people get paid a good chunk of change to do it. Are there any other functions that you would recommend for securing a site? If I'm sure to do something like $query = mysql_query(mysql_real_escape_string("The query")) any time there is user input, and do htmlentities anytime I'm printing out something which could have been influenced by the user, is that good enough?
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Easy Catch-All Sanitizer
Maybe it would be better if you show us your application and let us point out problems in it. Security is a big topic and listing "functions that secure your site" is not an ideal approach.paqman wrote:Are there any other functions that you would recommend for securing a site?
Just to make sure, it's the user input you have to escape, not the entire query.paqman wrote:If I'm sure to do something like $query = mysql_query(mysql_real_escape_string("The query")) any time there is user input