Page 1 of 2
Is my field security secure?
Posted: Thu Oct 01, 2009 11:06 am
by andym67
I have the following PHP code to stop sql injection and whatever else the scum might try to insert bad stuff into my form fields. Does anyone see any problems with this? I have a strong feeling my site will eventually become a target.
Code: Select all
function clean($str) {
$str = @trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
$str = strip_tags($str);
$str = htmlspecialchars($str,ENT_QUOTES);
return mysql_real_escape_string($str);
}
if (eregi("[^#-?.,`!a-zA-Z0-9 ]", $_POST['mystring'])){
$errmsg_arr[] = 'Non Allowed Character Found';
$errflag = true;
}
Also, eregi is deprecated in PHP 5.# and removed in PHP 6+ so what should I use as an alternative?
Thanks in advance.
Re: Is my field security secure?
Posted: Thu Oct 01, 2009 11:18 am
by jackpf
Use PCRE.
And it looks ok to me.
Re: Is my field security secure?
Posted: Fri Oct 02, 2009 12:56 am
by kaisellgren
Trim(), htmlspecialchars() and strip_tags() are pretty much useless in this case. You need properly constructed queries, possibly some whitelisting and mysql_real_escape_string(). See
http://en.wikipedia.org/wiki/SQL_injection
Re: Is my field security secure?
Posted: Wed Oct 14, 2009 1:22 pm
by andym67
Thanks all.
Re: Is my field security secure?
Posted: Thu Oct 15, 2009 5:26 am
by JasonDFR
kaisellgren wrote:Trim(), htmlspecialchars() and strip_tags() are pretty much useless in this case. You need properly constructed queries, possibly some whitelisting and mysql_real_escape_string(). See
http://en.wikipedia.org/wiki/SQL_injection
Unless the only concern is SQL injection, trim and more importantly htmlspecialchars and strip_tags are important. For example if the OP is planning to display any of the user supplied information on his website.
As far as sql injection goes, do yourself a favor and use prepared statements.
Re: Is my field security secure?
Posted: Thu Oct 15, 2009 5:34 am
by jackpf
I personally believe that data should be encoded when displaying it, not when it's inserted into the database.
Either works though...
Re: Is my field security secure?
Posted: Thu Oct 15, 2009 5:44 am
by kaisellgren
strip_tags() is pretty much useless. With prepared statements, you still need occasional white list cleansing.
jackpf wrote:I personally believe that data should be encoded when displaying it, not when it's inserted into the database
I do it that (encoding prior displaying) way nearly always. It is Output Encoding. It's more secure than its counterpart Input Encoding unless you have applied some sort of MACs to the encoded data in the database.
Re: Is my field security secure?
Posted: Thu Oct 15, 2009 8:50 am
by andym67
JasonDFR wrote:kaisellgren wrote:Trim(), htmlspecialchars() and strip_tags() are pretty much useless in this case. You need properly constructed queries, possibly some whitelisting and mysql_real_escape_string(). See
http://en.wikipedia.org/wiki/SQL_injection
Unless the only concern is SQL injection, trim and more importantly htmlspecialchars and strip_tags are important. For example if the OP is planning to display any of the user supplied information on his website.
As far as sql injection goes, do yourself a favor and use prepared statements.
I will be displaying a bunch of user supplied data. In other areas, I am trying to do some validation as well. I don't know what prepared statements are. Happen to have a link to a very elementary intro to those?
Re: Is my field security secure?
Posted: Thu Oct 15, 2009 8:51 am
by andym67
kaisellgren wrote:strip_tags() is pretty much useless. With prepared statements, you still need occasional white list cleansing.
jackpf wrote:I personally believe that data should be encoded when displaying it, not when it's inserted into the database
I do it that (encoding prior displaying) way nearly always. It is Output Encoding. It's more secure than its counterpart Input Encoding unless you have applied some sort of MACs to the encoded data in the database.
I am pretty new to this - you have lost me with the encoding when displaying bit. I have a lot to learn, no question about it.
Re: Is my field security secure?
Posted: Thu Oct 15, 2009 9:59 am
by jackpf
Ok, well you need to convert html characters to their html entities...there's no question about that.
However, you can either encode the data when it's put into the database (input) or when it's taken out of the database (output).
I believe you should do the latter.
1. You can easily change encoding without having to fix all your data
2. Original data is kept
3. It takes up less space
..and so on. I'm sure there are many other reasons...
Re: Is my field security secure?
Posted: Thu Oct 15, 2009 10:15 am
by JasonDFR
kaisellgren wrote:strip_tags() is pretty much useless. With prepared statements, you still need occasional white list cleansing.
Yes, anything user supplied should be escaped prior to output for all the reasons mentioned.
http://php.net/manual/en/pdo.prepared-statements.php Prepared statements will provide protection against sql injection.
Kai, why do you say strip_tags is useless? I would think that if the input you are asking for is not supposed to include any markup, you have two choices, use strip_tags and accept it, or invalidate it and force the user to enter a value that does not include markup.
Re: Is my field security secure?
Posted: Thu Oct 15, 2009 10:18 am
by jackpf
..or you could just encode it to display properly.
Re: Is my field security secure?
Posted: Thu Oct 15, 2009 10:29 am
by JasonDFR
jackpf wrote:..or you could just encode it to display properly.
What do you mean?
Re: Is my field security secure?
Posted: Thu Oct 15, 2009 11:42 am
by jackpf
If you use htmlentities() or htmlspecialchars(), then it'll just display whatever they've entered. Seems more logical than to just remove parts.

Re: Is my field security secure?
Posted: Fri Oct 16, 2009 2:09 am
by kaisellgren
JasonDFR wrote:Kai, why do you say strip_tags is useless? I would think that if the input you are asking for is not supposed to include any markup, you have two choices, use strip_tags and accept it, or invalidate it and force the user to enter a value that does not include markup.
Sorry, I was talking solely from the perspective of security. Sure, you could use strip_tags() to remove some markup, but as for securing a site, it's almost always useless.
andym67 wrote: I don't know what prepared statements are. Happen to have a link to a very elementary intro to those?
This should get you started:
http://fi.php.net/manual/en/pdo.prepared-statements.php