SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Addict
    Join Date
    Nov 2009
    Posts
    283
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    PHP & MySQL security question

    Hi,

    I have been reading about PHP & MySQL security and I can say that I learned the basics. In my code, I use the following to filter user input.

    Code:
    $input = mysql_real_escape_string(strip_tags(trim($input)));
    Is this enough? Do I need something else?

    Thanks.

  2. #2
    From Italy with love silver trophybronze trophy
    guido2004's Avatar
    Join Date
    Sep 2004
    Posts
    9,401
    Mentioned
    147 Post(s)
    Tagged
    4 Thread(s)
    From a purely database point of view, you are mixing two things in that statement: sanitization and validation.

    To sanatize the user input before using it in a database query (as you should), there's no need for strip_tags. You would sanitize strings with mysql_real_escape_string(), and numeric values casting them with (int) for example (in case of integers). Or you could take a look at PDO.

    Validation depends entirely on what you want the user input to be.
    If you don't want the user input to contain tags, then you can use strip_tags(). If you want it to contain certain values, you can check it against an array of allowed values. If you want it to be a valid email address, you can use validation filters.

  3. #3
    SitePoint Addict
    Join Date
    Apr 2011
    Posts
    266
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Hi,
    You can use PDO, or MySQLi, with prepare() and execute() , these functions filter data before send it to database. It this case, it's no need for mysql_real_escape_string().
    Free: Web Programming Courses HTML, CSS, Flash
    Web Programming: AJAX Course and PHP-MySQL Course video Lessons
    Good JavaScript and jQuery course for beginners

  4. #4
    SitePoint Addict
    Join Date
    Nov 2009
    Posts
    283
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by guido2004 View Post
    From a purely database point of view, you are mixing two things in that statement: sanitization and validation.

    To sanatize the user input before using it in a database query (as you should), there's no need for strip_tags. You would sanitize strings with mysql_real_escape_string(), and numeric values casting them with (int) for example (in case of integers). Or you could take a look at PDO.

    Validation depends entirely on what you want the user input to be.
    If you don't want the user input to contain tags, then you can use strip_tags(). If you want it to contain certain values, you can check it against an array of allowed values. If you want it to be a valid email address, you can use validation filters.
    Guido, thanks for your opinion. So, for example if I am using a login form (username, password fields), will it be enough to use only mysql_real_escape_string() and not strip_tags()? Do I need mysql_real_escape_string() in all type of inputs? In what type of inputs I will need strip_tags()? Every web designer has a different style of security implementation, that's why I am confused and asking this question.

  5. #5
    SitePoint Evangelist praetor's Avatar
    Join Date
    Aug 2005
    Posts
    479
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The data the server receives from the browsers first of all needs to be validated according to the specific action requierements. When using MVC (which you should) the controller receives the submitted data and then it updates or query the model (which is in its very simplistic form, the database). In order to perform that action the controller must ensure that the data it sends further is valid. That's when the validation kicks in (how it's performed depends on what framework or utilites you're using). In this stage we talk about validating the format of the data received. If it's not the desired format, then a view containing the errors should be returned.

    Once the data is validated, it can be send to the model for processing. When it gets to the database, the data access layer (DAL)/the data acces object (DAO) must ensure that everything it sends to the database is sanitized i.e the values sent are in the proper form to be used in that database.

    In my opinion, strip_tags is a hack that shouldn't be used for validation or sanitization. If you don't want the data to contain html tags, return a error saying so to the user. mysql_real_escape_string does the sanitization of the data however I strongly suggest that you learn about PDO and use only that. As you are a novice in php, be aware that there's a LOT of bad coding or outdated tutorials on the web which will 'teach' you how to be a poor developer. Learn the 'right' php from the start, it is MUCH easier now than later.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •