Is there a catchall function somewhere that works well for sanitizing user input for SQL injection and XSS attacks, while still allowing certain types of html tags?
- First example:
- To avoid this problems ,Whenever we embed a string within foreign code, we must escape it, according to the rules of that language. For example, if we embed a string in some SQL targeting MySql, we must escape the string with MySql’s function for this purpose (mysqli_real_escape_string).
- Second example is HTML:
- If we embed strings within HTML markup, we must escape it with html special chars. This means that every single echo or print statement should use htmlspecialchars.
- A third example shell commands:
- A third example could be shell commands: If we’re going to embed strings (Such as arguments) to external commands, and call them with exec, then we must use escapeshellcmd and escapeshellarg.
Here we describing two separate issues:
Sanitizing / filtering of user input data.
1) User input should always be assumed to be bad.
Using prepared statements, or/and filtering with mysql_real_escape_string is definitely a must. PHP also has filter_input built in which is a good place to start.
2) This is a large topic, and it depends on the context of the data being output. For HTML there are solutions such as htmlpurifier out there. as a rule of thumb, always escape any output.
- The best way to sanitize user input in PHP is sanitize filters(Sanitize filters)(http://php.net/manual/en/filter.filters.sanitize.php) for otherwise use htmlentities() or htmlspecialchars() .
- For more reference htmlspecialchars – Manualhtmlentities – Manual (http://php.net/htmlspecialchars)
- SQL injection is an input filtering problem, and XSS is an output escaping one – so we can’t able to execute these two operations at the same time in the code lifecycle.
- Basic rules:
- For SQL query, bind parameters (as with PDO) or use a driver-native escaping function for query variables (such as mysql_real_escape_string())
- Use strip_tags() to filter out unwanted HTML
- Escape all other output with htmlspecialchars() and be mindful of the 2nd and 3rd parameters here.
- To address the XSS issue, take a look at HTML Purifier(http://www.htmlpurifier.org/)It is fairly configurable and has a decent track record.
- As for the SQL injection attacks, make sure to check the user input, and then run it through mysql_real_escape_string(). The function won’t defeat all injection attacks, though, so it is important to check the data before dumping it into our query string.
- A better solution is to use prepared statements. The PDO (://www.php.net/pdo) and mysqli extension support these.
- use the id in a WHERE clause is to ensure that id definitely is an integer, like so..
- If we’re using PostgreSQL, the input from PHP can be escaped with pg_escape_string()
- pg_escape_string() escapes a string for querying the database. It returns an escaped string in the PostgreSQL format without quotes.
- Easiest way to avoid mistakes in sanitizing input and escaping data is using PHP framework
- Framework is automatically sanitizing input and we won’t use $_POST, $_GET or $_SESSION variables directly, but through mechanism like routing, session handling etc.
- And for database (model) layer there are ORM frameworks like Doctrine or wrappers around PDO like Nette Database.
- PHP 5.2 introduced the filter_var function.
- It supports a great deal of SANITIZE, VALIDATE filters.
- we can’t able to filter data without any context. Sometimes we need to take a SQL query as input and sometimes we need to take HTML as input
- we need to filter input on a whitelist — ensure that the data matches some specification of our expectation. And then we need to escape it before we use it, depending on the context in which we used.
- The process of escaping data for SQL – to prevent SQL injection – is very different from the process of escaping data for (X)HTML, to prevent XSS.