Page 1 of 1

is this filtering secure ??

Posted: Thu Jan 17, 2008 12:24 am
by PHPycho
Hello forums !!
I would like to know if i am doing right for security purposes or not.
For any user submitted datas ($_POST & $_GET) I used to perform as
PHP Code:

Code: Select all

 
 
$_POST = filter_input($_POST);
 
// $_GET = filter_input($_GET);
 
// then after use that submitted data for queries as
 
$sql = "INSERT INTO `table_name` (field1, field2) VALUES('".$_POST['field1']."', "'.$_POST['field2'].'")";
 
 
 
// filter_input function
 
function filter_input(){
 
    if(is_array($arg)){
 
        foreach($arg as $key => $value){                    
 
            if(is_array($value)){
 
                for($i = 0; $i < count($value); $i++){                        
 
                    $arg[$key][$i] = mysql_real_escape_string(htmlentities(trim($value[$i]), ENT_QUOTES,'UTF-8'));
 
                }
 
            }else{
 
                $arg[$key] = mysql_real_escape_string(htmlentities(trim($value), ENT_QUOTES,'UTF-8'));
 
            }                
 
        }    
 
        return $arg;
 
    }elseif(is_string($arg)){
 
        $arg = mysql_real_escape_string(htmlentities(trim($arg),ENT_QUOTES,'UTF-8'));
 
        return $arg;
 
    }else{
 
        return $arg;
 
    }    
 
} 
 

My Questions?
- is this secure filter or not ?

Thanks in advance for your valuable suggestions.

Re: is this filtering secure ??

Posted: Thu Jan 17, 2008 12:27 am
by jimthunderbird
Should your function be: function filter_input($arg) instead of function filter_input() ?

Re: is this filtering secure ??

Posted: Thu Jan 17, 2008 12:48 am
by John Cartwright
Moved to PHP-Security.

Re: is this filtering secure ??

Posted: Thu Jan 17, 2008 1:16 am
by PHPycho
ok thats my mistake , besides that is there any security issues regarding my function

Re: is this filtering secure ??

Posted: Thu Jan 17, 2008 1:30 am
by jmut
This "solution" even if relatively secure, is not useful from programming point of view:
- you obscure data before you use it -> htmlentities...hence cannot compare, or else on actual input data. use htmlentities only when outputing content in html context
- good practice is to use mysql_real_escape_string right before you insert/update or whatever - there was really nice article on SQL incjection by mordred
- this usage of $_POST totally degrades readability - rather assign it to variable $clean or something
- All of those are addressed in the forums...simple search should give a hint