• 0

Secure PHP input


Question

So I've been trying to take some steps to securing code i use in projects, this is just an example of it done dirty and quickly but the format for the php is the same. Does any one have any tips or ideas to optimize this?

<?php
//Connect to DB
$db = mysql_connect("localhost", "blah", "blah") or die("Could not connect.");
if(!$db) 
   die("no db");
if(!mysql_select_db("blah",$db))
   die("No database selected.");

//Functions
function clean($Text){
$Text = strip_tags($Text);
$Text = str_replace("&","&", $Text);
$Text = str_replace("<","<", $Text);
$Text = str_replace(">",">", $Text);
$Text = trim($Text);
$Text = mysql_real_escape_string($Text);
return $Text;
}

//Variables
$section = $_GET['section'];
$section = clean($section);
$input = $_POST['text'];
$input = clean($input);

//show subpage
if (isset($section) && $section == '1') {
//If input then
if ($input) {
//Add data to db
$add = mysql_query( "INSERT INTO `test` (`testing`,`subsection`) VALUES ('$input','$section') ");
// echos the input
echo" ".$input." ".$section." ";
}

}
else{
echo"
<form method=\"post\" action=\"?section=1\" enctype=\"multipart/form-data\"> 
<input type=\"text\" name=\"text\" class=\"form\">
<input name=\"submit\" type=\"submit\" value=\"Sumbit\" class=\"form\"><input type=\"reset\" value=\"Clear\" class=\"form\"> 
</form> 
";
}

?>

Link to comment
Share on other sites

15 answers to this question

Recommended Posts

  • 0

Instead of manually translating & into & and so on. You can use htmlspecialchars.

Also if you are expecting a value to be an integer, you could just cast to that.

Now that's use full and i hadn't actually thought of that, see i kinda taught myself how to do this stuff at home on a private pc, but transferring stuff into real world situations its just gonna have to get tightened up. So thank you :)

Link to comment
Share on other sites

  • 0

For your functions & variables wouldnt it be better to combine rather than seperate its what i normally do but then im a noob at php lol

//Functions
function clean($Text){
$Text = trim(mysql_real_escape_string(strip_tags(htmlspecialchars($Text))));
return $Text;
}
//Variables
$section = clean($_GET['section']);
$input = clean($_POST['text']);

Dont know what i have done is classed as good/bad coding but its how i normally do stuff when im playing with php.

Link to comment
Share on other sites

  • 0

For your functions & variables wouldnt it be better to combine rather than seperate its what i normally do but then im a noob at php lol

I like to keep it readable at a glance but yeah no reason why not to i guess

Link to comment
Share on other sites

  • 0

It'd be worthwhile turning off all php error reporting when the scripts is running in the "real world" (i.e. not localhost or something).

Place

error_reporting(0);

at the top, just after <?php.

Link to comment
Share on other sites

  • 0

It'd be worthwhile turning off all php error reporting when the scripts is running in the "real world" (i.e. not localhost or something).

Sweet some thing else i hadn't really thought about.

Link to comment
Share on other sites

  • 0

When inserting to MySQL, use mysql_real_escape_string() on the string.

When presenting data to the user use htmlspecialchars().

Don't htmlspecialchars() it before you insert it into the DB, you may end up double encoding the string and that introduces another security risk.

Remember that most variables that PHP puts in its globals are user taintable and not to be trusted. Think things like the referrer, the IP, the user agent, request URI. None of it is to be trusted.

For your functions & variables wouldnt it be better to combine rather than seperate its what i normally do but then im a noob at php lol

//Functions
function clean($Text){
$Text = trim(mysql_real_escape_string(strip_tags(htmlspecialchars($Text))));
return $Text;
}
//Variables
$section = clean($_GET['section']);
$input = clean($_POST['text']);

Dont know what i have done is classed as good/bad coding but its how i normally do stuff when im playing with php.

Do NOT do this. Firstly what's the point in strip_tags when you just encoded the tags? Second, don't prepare data for presentation on the way into the DB, sanitise it for storage on the way into the DB.

Link to comment
Share on other sites

  • 0

When inserting to MySQL, use mysql_real_escape_string() on the string.

When presenting data to the user use htmlspecialchars().

So do you mean like this:

//Clean input into db
function clean_in_db($Text){
$Text = mysql_real_escape_string($Text);
return $Text;
}
//Clean output from db
function clean_out_db($Text){
$Text = htmlspecialchars($Text);
return $Text;
}

or

//Clean input into db
function clean_in_db($Text){
$Text = strip_tags($Text);
$Text = mysql_real_escape_string($Text);
$Text = trim($Text);
return $Text;
}
//Clean output from db
function clean_out_db($Text){
$Text = strip_tags($Text);
$Text = htmlspecialchars($Text);
$Text = trim($Text);
return $Text;
}

Sorry little confused as to what should be exclusive to what.

Link to comment
Share on other sites

  • 0

@Kudos i just copied the data he had given like i said im noobish too.

@Curve i believe he's saying:

//Functions
function clean($Text){
$Text = trim(mysql_real_escape_string(htmlspecialchars($Text)));
return $Text;
}
//Variables
$section = htmlspecialchars($_GET['section']); //check i spelled right im lazy =P
$input = clean($_POST['text']);

But i could be wrong =)

Link to comment
Share on other sites

  • 0

Your code could be a lot smaller, mate. This is not tested so I may have left a semicolon or something out but essentially it is the same thing as you have in your first post.

&lt;?php
//Connect to DB
mysql_connect("localhost", "blah", "blah") or die("Could not connect.");
mysql_select_db("blah") or die("No database selected.");

function clean($value) {
	return mysql_real_escape_string(trim(htmlspecialchars(strip_tags($value))));
}

$section = clean($_GET['section']);
$input = clean($_POST['text']);

if ($section == 1 and !empty($input)) {
	mysql_query("INSERT INTO `test` (`testing`, `subsection`) VALUES ('$input', '$section')");
	echo $input . ' ' . $section;
} else {
	echo '
	&lt;form method="post" action="?section=1" enctype="multipart/form-data"&gt; 
		&lt;input type="text" name="text" class="form"&gt;
		&lt;input name="submit" type="submit" value="Sumbit" class="form"&gt;
		&lt;input type="reset" value="Clear" class="form"&gt; 
	&lt;/form&gt;
	';
}
?&gt;

Link to comment
Share on other sites

  • 0

//Clean input into db
function clean_in_db($Text){
$Text = mysql_real_escape_string($Text);
return $Text;
}
//Clean output from db
function clean_out_db($Text){
$Text = htmlspecialchars($Text);
return $Text;
}

Like this, you could optionally strip tags and trim on the way into the database also, if it's appropriate.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.