PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Thu Jul 09, 2020 11:21 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 14 posts ] 
Author Message
PostPosted: Thu Mar 10, 2005 9:35 pm 
Offline
Forum Contributor

Joined: Thu Mar 10, 2005 1:24 pm
Posts: 107
Location: Land of the Beaver
Hi,

Well, I'm designing a PHP project. I'm looking for ways to make sure I can secure it. It will be opensourced, so I decided on creating a class to hold functions that will sanitize user input, validate e-mail's, etc. Hopefully I want the another programmer to be able to do something like this:

Syntax: [ Download ] [ Hide ]
$validate->sanitize($_POST['Some_data']);


Then the code would be completely safe to use for SQL, input, etc. I know it's not possible to get 100% security, but I want to try? So, I'm wondering, what can (should) be done to sanitize an input value with one function? I have thought of using functions such as:

htmlspecialchars()
trim()

If anyone has any thoughts or suggestions, I would love to hear them.

Thanks,

Sphen001


Last edited by Sphen001 on Tue Jul 12, 2005 9:17 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject:
PostPosted: Thu Mar 10, 2005 9:39 pm 
Offline
Forum Contributor

Joined: Tue Mar 09, 2004 10:05 am
Posts: 168
Location: Arkansas, USA
If you are validating user input for an sql query, mysql_real_escape_string($var) is all you need... except, of course, if you need to remove the html characters, etc. However, to prevent SQL injection, mysql_real_escape_string is all you need.

- Monkey


Top
 Profile  
 
 Post subject:
PostPosted: Thu Mar 10, 2005 9:43 pm 
Offline
Forum Contributor

Joined: Thu Mar 10, 2005 1:24 pm
Posts: 107
Location: Land of the Beaver
Hi,

Thanks for your reply.

Basically, I want to be able to validate any type of input.

So, following your suggestion, I could have a class that looks something like this:

Syntax: [ Download ] [ Hide ]
<?php

class validate

{

function sanitize_sql($var)

{

return mysql_real_escape_string($var);

}

}


However, I would want some other functions to validate form input. This is where htmlspecialchars() and trim() come in.

Can you think of any I've missed? Optimally, one function call could completely validate a form input and make it safe for use.

Thanks,

Sphen001


Top
 Profile  
 
 Post subject:
PostPosted: Thu Mar 10, 2005 9:57 pm 
Offline
Forum Contributor

Joined: Tue Mar 09, 2004 10:05 am
Posts: 168
Location: Arkansas, USA
I wouldn't be too hasty to make it a class - I know they look cool, but they can just cause problems / extra steps with little benefit.

If you really want to have all of your validation functions in a class, I would make it a static class. Thus:

Syntax: [ Download ] [ Hide ]
class validate

{

    function sanitize_sql($string)

    {

       return mysql_real_escape_string($string);

    }

}



$some_stupid_user_input = $_GET['blah'];



$sql = "SELECT * FROM foo WHERE blah = '" . validate::sanitize_sql($some_stupid_user_input) . "'";



$result = mysql_query($sql);


Basically, you call the methods via class::method() instead of $class-&gt;method().

- Monkey


Top
 Profile  
 
 Post subject:
PostPosted: Thu Mar 10, 2005 10:00 pm 
Offline
Forum Contributor

Joined: Thu Mar 10, 2005 1:24 pm
Posts: 107
Location: Land of the Beaver
Hi,

Thanks.

I just put the functions in a class in order to keep them together. It's not written down in stone.

Sphen001


Top
 Profile  
 
 Post subject:
PostPosted: Thu Mar 10, 2005 10:02 pm 
Offline
Forum Contributor

Joined: Tue Mar 09, 2004 10:05 am
Posts: 168
Location: Arkansas, USA


Top
 Profile  
 
 Post subject:
PostPosted: Thu Mar 10, 2005 10:08 pm 
Offline
Forum Contributor

Joined: Thu Mar 10, 2005 1:24 pm
Posts: 107
Location: Land of the Beaver


Top
 Profile  
 
 Post subject:
PostPosted: Thu Mar 10, 2005 10:17 pm 
Offline
Neighborhood Spidermoddy
User avatar

Joined: Mon Mar 29, 2004 4:24 pm
Posts: 31559
Location: Bothell, Washington, USA


Top
 Profile  
 
 Post subject:
PostPosted: Thu Mar 10, 2005 10:18 pm 
Offline
Forum Contributor

Joined: Tue Mar 09, 2004 10:05 am
Posts: 168
Location: Arkansas, USA


Top
 Profile  
 
 Post subject:
PostPosted: Thu Mar 10, 2005 10:27 pm 
Offline
Neighborhood Spidermoddy
User avatar

Joined: Mon Mar 29, 2004 4:24 pm
Posts: 31559
Location: Bothell, Washington, USA


Top
 Profile  
 
 Post subject:
PostPosted: Fri Mar 11, 2005 8:40 am 
Offline
Forum Contributor

Joined: Thu Mar 10, 2005 1:24 pm
Posts: 107
Location: Land of the Beaver
Wow, thanks for all the replies.

The main thing I'm concerned about is, as you say, SQL Injection and Form Injection. I'll look at making a few functions that combine some of them into one.

The reason for that, as I stated above, is that other developers may be adding to this code. Therefore, by giving them only one function they have to run, the code will still be (mostly) safe, even if they don't know a lot about security.

Thanks a lot.

Sphen001


Top
 Profile  
 
 Post subject:
PostPosted: Fri Mar 11, 2005 4:57 pm 
Offline
Forum Contributor

Joined: Fri Jul 09, 2004 1:23 am
Posts: 422


Top
 Profile  
 
PostPosted: Mon Mar 14, 2005 3:20 pm 
Offline
Forum Contributor
User avatar

Joined: Sun Feb 06, 2005 12:22 pm
Posts: 124


Top
 Profile  
 
 Post subject:
PostPosted: Wed Mar 16, 2005 3:17 pm 
Offline
Forum Contributor

Joined: Thu Mar 10, 2005 1:24 pm
Posts: 107
Location: Land of the Beaver
Wow, that really helps.

I guess what I should do is create different functions for different types of circumstances. What I was looking at in my first post however, was a way to do a general clean up of all data. That's where stuff like htmlspecialchars() and trim() come into play.

Thanks a lot :D

Sphen


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 14 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 9 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group