Order of Escape?

I am making a simple survey and I want to save the results to a MySQL database.

Could anyone let me know if this is the right order for validating and escaping things?
(mainly, the approach I am thinking is to only change the values right before using them in sql or outputting to browser)

in other words, is there a danger of PHP validation without slashes?

1) Receive $_POST values, stripping slashes if magic quotes is on

2) put POST values into variables

4) validate POST values.

3) stripslashes and htmlspecialchars just before output to screen

5) mysql_real_escape_string just befor entry into database.

I am nost sure if I should be escaping strings before validation. Here are the functions I use:

PHP Code:

// strips slashes if magic quotes on function stripping($string){ if (!get_magic_quotes_gpc()){ return $string; } else { return stripslashes($string); } } // prepares data to be output to page function htmlsafe($string){ return htmlspecialchars($string); } } // prepares data for database entry function sqlsafe($string) { $string=mysql_real_escape_string($string); return $string; }

And here is my validation so far:

PHP Code:

// set variables $title = stripping($_POST['title']); $selection = stripping($_POST['selection']); $other = stripping($_POST['other']); // to check selection, and store error message $array = ('selection1', 'selection2', 'selection3'); $err_message = ''; if (!strlen($title) > 0) { $title = FALSE; $err_message .= 'A title was not submitted. Please enter a title.<br />'; } if (!in_array($selection, $array) { $title = FALSE; $err_message .= 'A valid selection was not made. Please make a selection.<br />'; } if ($other == 'badword') { $other = FALSE; $err_message .= 'You cannot use the word ' . htmlsafe($badword) . 'Please submit another word.<br />'; if ($err_message > 0){ echo $err_message; } else { echo 'Success!'; // continue to SQL insert }

And finally here is my sql that will be inserted

PHP Code:

$title = sqlsafe($title); $selection = sqlsafe($selection); $other = sqlsafe($other); $sql = "INSERT INTO `tablename` (`col1`, `col2` , `col3` , `col4`) VALUES (NULL , `$title`, `$selection`, `$other`)";

Yup, looks good. Remember that if you escape your string(s) before validating them, you'll have to account for the extra escape characters in your validation. Usually it's just easier to validate before you escape.

Just a side note: I usually don't put escaped values back into their variables. Reason being that you may want to display the values later on, and all those extra escape characters would just get in the way. I'd do your SQL statement this way:

PHP Code:

$sql = "INSERT INTO `tablename` (`col1`, `col2` , `col3` , `col4`) VALUES (NULL , `". sqlsafe($title)."`, `". sqlsafe($selection)."`, `". sqlsafe($other)."`)";

Yes, it's a little annoying to do it that way, but it's easier than trying to strip out slashes later (especially since there is no true complement to mysql_real_escape_string - it's character-set sensitive, while stripslashes is not).

Thanks!

Thanks Kromey,

The suggestion for escaping sql right in the sql query was helpful. I think I did this in the past, I just forgot.

Is there any way that an unescaped value can mess up a php validation?

for example is the following safe?

PHP Code:

if ($_POST['unescapedvalue'] == 'password' ) { //do something secret }

Being more specific, can they interfere with an "if" statement?

I imagine the only way is if the validation statement is something like so (not a practical example, I just want to know how it works):

PHP Code:

if ('prepend part of a string' . $_POST['unescapedvalue'] == 'password') { //do something secret }

where $_POST['unescapedvalue'] is entered as
' == 1 || 1==1 || 1
and the statement becomes:

if ('prepend part of a string' == 1 || 1==1 || 1 == 'password')

Would PHP see the second statement as true, allowing the script to "do something secret" OR
would php just make the quote a part of the string and treat it like the following?

if ('prepend part of a string/' ==1 || 1==1 || 1==' 'password')

where the string is
('prepend part of a string/' ==1 || 1==1 || 1==)

Validation of the kind you are referring to is only necessary when entering data into a database (Google: SQL injection), displaying it to a user (Google: XSS), or running user input through e.g. eval (a really really bad idea in general).

As far as your example with a string in an if statement, PHP sees the user input as a string and never evaluates it as PHP code, even when appended to another string. The only time PHP would evaluate such a string would be if you ran it through eval or put it into a file and then used include. Maybe a couple other ways to make it execute. But in general use, no, PHP will not execute any kind of user input.

Quote:

Originally Posted by agentforte

3) stripslashes and htmlspecialchars just before output to screen

You should not stripslashes on data, before output.

Quote:

Originally Posted by kyberfabrikken

You should not stripslashes on data, before output.

What if magic quotes are on? See the stripping function I have. (only strips if magic quotes are on)

I assume you mean the same thing as Kromey:

Quote:

Originally Posted by KROMEY

Just a side note: I usually don't put escaped values back into their variables. Reason being that you may want to display the values later on, and all those extra escape characters would just get in the way...

... it's easier than trying to strip out slashes later (especially since there is no true complement to mysql_real_escape_string - it's character-set sensitive, while stripslashes is not)

Quote:

Originally Posted by agentforte

I assume you mean the same thing as Kromey:

No, not really. I've often seen that people assume that since you use addslashes (Or mysql_escape_string) on values, which are inserted into the database, you should use stripslashes on values, retrieved from the database. This is not the case. The escaping of data is there to protect the transport of data, to the database. Once they are in the database, they aren't escaped any more. Thus, when you retrieve data, it will come back in its "unescaped" form. This illustrates:

Code:

mysql> create table test_of_escape (id serial, foo varchar(255)); Query OK, 0 rows affected (0.22 sec) mysql> insert into test_of_escape values (NULL, "this is a single quote: '"); Query OK, 1 row affected (0.05 sec) mysql> insert into test_of_escape values (null, 'this is a single quote: \''); Query OK, 1 row affected (0.06 sec) mysql> select * from test_of_escape; +----+---------------------------+ | id | foo | +----+---------------------------+ | 1 | this is a single quote: ' | | 2 | this is a single quote: ' | +----+---------------------------+ 2 rows in set (0.00 sec) mysql>