Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
I have the following PHP code to stop sql injection and whatever else the scum might try to insert bad stuff into my form fields. Does anyone see any problems with this? I have a strong feeling my site will eventually become a target.
Trim(), htmlspecialchars() and strip_tags() are pretty much useless in this case. You need properly constructed queries, possibly some whitelisting and mysql_real_escape_string(). See http://en.wikipedia.org/wiki/SQL_injection
kaisellgren wrote:Trim(), htmlspecialchars() and strip_tags() are pretty much useless in this case. You need properly constructed queries, possibly some whitelisting and mysql_real_escape_string(). See http://en.wikipedia.org/wiki/SQL_injection
Unless the only concern is SQL injection, trim and more importantly htmlspecialchars and strip_tags are important. For example if the OP is planning to display any of the user supplied information on his website.
As far as sql injection goes, do yourself a favor and use prepared statements.
strip_tags() is pretty much useless. With prepared statements, you still need occasional white list cleansing.
jackpf wrote:I personally believe that data should be encoded when displaying it, not when it's inserted into the database
I do it that (encoding prior displaying) way nearly always. It is Output Encoding. It's more secure than its counterpart Input Encoding unless you have applied some sort of MACs to the encoded data in the database.
kaisellgren wrote:Trim(), htmlspecialchars() and strip_tags() are pretty much useless in this case. You need properly constructed queries, possibly some whitelisting and mysql_real_escape_string(). See http://en.wikipedia.org/wiki/SQL_injection
Unless the only concern is SQL injection, trim and more importantly htmlspecialchars and strip_tags are important. For example if the OP is planning to display any of the user supplied information on his website.
As far as sql injection goes, do yourself a favor and use prepared statements.
I will be displaying a bunch of user supplied data. In other areas, I am trying to do some validation as well. I don't know what prepared statements are. Happen to have a link to a very elementary intro to those?
kaisellgren wrote:strip_tags() is pretty much useless. With prepared statements, you still need occasional white list cleansing.
jackpf wrote:I personally believe that data should be encoded when displaying it, not when it's inserted into the database
I do it that (encoding prior displaying) way nearly always. It is Output Encoding. It's more secure than its counterpart Input Encoding unless you have applied some sort of MACs to the encoded data in the database.
I am pretty new to this - you have lost me with the encoding when displaying bit. I have a lot to learn, no question about it.
Kai, why do you say strip_tags is useless? I would think that if the input you are asking for is not supposed to include any markup, you have two choices, use strip_tags and accept it, or invalidate it and force the user to enter a value that does not include markup.
JasonDFR wrote:Kai, why do you say strip_tags is useless? I would think that if the input you are asking for is not supposed to include any markup, you have two choices, use strip_tags and accept it, or invalidate it and force the user to enter a value that does not include markup.
Sorry, I was talking solely from the perspective of security. Sure, you could use strip_tags() to remove some markup, but as for securing a site, it's almost always useless.
andym67 wrote: I don't know what prepared statements are. Happen to have a link to a very elementary intro to those?