Goal: Properly sanitize all inputs from text boxes before entering into DB, which is then output to a page. For my use case, I need to prevent potential problems while not eliminating the data input. Also, the charset is explicitly set to UTF-8 in both the HTTP header and the META tag to prevent problems with malformed encoding. The DB is also set to UTF-8.
Specs: PHP, MySQL, Apache
Sample Code:
function secureinput($input)
{
$input = htmlspecialchars($input, ENT_QUOTES ,'UTF-8');
$input = strip_tags($input); //fail-safe for anything that gets through
$input = mysql_real_escape_string($input);
return $input;
}
Question: What vectors of attack (XSS, SQL Injection, etc.) is this still vulnerable to?
A huge thanks to anyone who can help. This is my first time posting, though I've always turned to SO first for looking up answers to my questions. Unfortunately, this time I couldn't find any other questions that answered my problem, only small parts of it.
Answer
XSS Attacks
By using htmlspecialchars() whenever you output user-inputted content, you can ensure you will be safe from XSS attacks.
SQL Injection
Steve Friedl provides some examples of SQL Injections and limitations of input sanitization on his website: http://www.unixwiz.net/techtips/sql-injection.html
Even though your code may be secure from SQL injection attacks with mysql_real_escape_string(), you are better off using parameterized SQL and eliminating the risk of SQL injection altogether. You will also be much more secure if you use PDO or mysqli in PHP instead of the deprecated mysql functions.
No comments:
Post a Comment