is this filtering secure ??

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
PHPycho
Forum Contributor
Posts: 336
Joined: Fri Jan 06, 2006 12:37 pm

is this filtering secure ??

Post by PHPycho »

Hello forums !!
I would like to know if i am doing right for security purposes or not.
For any user submitted datas ($_POST & $_GET) I used to perform as
PHP Code:

Code: Select all

 
 
$_POST = filter_input($_POST);
 
// $_GET = filter_input($_GET);
 
// then after use that submitted data for queries as
 
$sql = "INSERT INTO `table_name` (field1, field2) VALUES('".$_POST['field1']."', "'.$_POST['field2'].'")";
 
 
 
// filter_input function
 
function filter_input(){
 
    if(is_array($arg)){
 
        foreach($arg as $key => $value){                    
 
            if(is_array($value)){
 
                for($i = 0; $i < count($value); $i++){                        
 
                    $arg[$key][$i] = mysql_real_escape_string(htmlentities(trim($value[$i]), ENT_QUOTES,'UTF-8'));
 
                }
 
            }else{
 
                $arg[$key] = mysql_real_escape_string(htmlentities(trim($value), ENT_QUOTES,'UTF-8'));
 
            }                
 
        }    
 
        return $arg;
 
    }elseif(is_string($arg)){
 
        $arg = mysql_real_escape_string(htmlentities(trim($arg),ENT_QUOTES,'UTF-8'));
 
        return $arg;
 
    }else{
 
        return $arg;
 
    }    
 
} 
 

My Questions?
- is this secure filter or not ?

Thanks in advance for your valuable suggestions.
User avatar
jimthunderbird
Forum Contributor
Posts: 147
Joined: Tue Jul 04, 2006 3:59 am
Location: San Francisco, CA

Re: is this filtering secure ??

Post by jimthunderbird »

Should your function be: function filter_input($arg) instead of function filter_input() ?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: is this filtering secure ??

Post by John Cartwright »

Moved to PHP-Security.
User avatar
PHPycho
Forum Contributor
Posts: 336
Joined: Fri Jan 06, 2006 12:37 pm

Re: is this filtering secure ??

Post by PHPycho »

ok thats my mistake , besides that is there any security issues regarding my function
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Re: is this filtering secure ??

Post by jmut »

This "solution" even if relatively secure, is not useful from programming point of view:
- you obscure data before you use it -> htmlentities...hence cannot compare, or else on actual input data. use htmlentities only when outputing content in html context
- good practice is to use mysql_real_escape_string right before you insert/update or whatever - there was really nice article on SQL incjection by mordred
- this usage of $_POST totally degrades readability - rather assign it to variable $clean or something
- All of those are addressed in the forums...simple search should give a hint
Post Reply