PHP & MySQL security question

[nayen]

Hi,

I have been reading about PHP & MySQL security and I can say that I learned the basics. In my code, I use the following to filter user input.

Code:

$input = mysql_real_escape_string(strip_tags(trim($input)));

Is this enough? Do I need something else?

Thanks.

[guido2004]

From a purely database point of view, you are mixing two things in that statement: sanitization and validation.

To sanatize the user input before using it in a database query (as you should), there's no need for strip_tags. You would sanitize strings with mysql_real_escape_string(), and numeric values casting them with (int) for example (in case of integers). Or you could take a look at PDO.

Validation depends entirely on what you want the user input to be.
If you don't want the user input to contain tags, then you can use strip_tags(). If you want it to contain certain values, you can check it against an array of allowed values. If you want it to be a valid email address, you can use validation filters.

[MarPlo]

Hi,
You can use PDO, or MySQLi, with prepare() and execute() , these functions filter data before send it to database. It this case, it's no need for mysql_real_escape_string().

[nayen]

From a purely database point of view, you are mixing two things in that statement: sanitization and validation.

To sanatize the user input before using it in a database query (as you should), there's no need for strip_tags. You would sanitize strings with mysql_real_escape_string(), and numeric values casting them with (int) for example (in case of integers). Or you could take a look at PDO.

Validation depends entirely on what you want the user input to be.
If you don't want the user input to contain tags, then you can use strip_tags(). If you want it to contain certain values, you can check it against an array of allowed values. If you want it to be a valid email address, you can use validation filters.

Guido, thanks for your opinion. So, for example if I am using a login form (username, password fields), will it be enough to use only mysql_real_escape_string() and not strip_tags()? Do I need mysql_real_escape_string() in all type of inputs? In what type of inputs I will need strip_tags()? Every web designer has a different style of security implementation, that's why I am confused and asking this question.

[praetor]

The data the server receives from the browsers first of all needs to be validated according to the specific action requierements. When using MVC (which you should) the controller receives the submitted data and then it updates or query the model (which is in its very simplistic form, the database). In order to perform that action the controller must ensure that the data it sends further is valid. That's when the validation kicks in (how it's performed depends on what framework or utilites you're using). In this stage we talk about validating the format of the data received. If it's not the desired format, then a view containing the errors should be returned.

Once the data is validated, it can be send to the model for processing. When it gets to the database, the data access layer (DAL)/the data acces object (DAO) must ensure that everything it sends to the database is sanitized i.e the values sent are in the proper form to be used in that database.

In my opinion, strip_tags is a hack that shouldn't be used for validation or sanitization. If you don't want the data to contain html tags, return a error saying so to the user. mysql_real_escape_string does the sanitization of the data however I strongly suggest that you learn about PDO and use only that. As you are a novice in php, be aware that there's a LOT of bad coding or outdated tutorials on the web which will 'teach' you how to be a poor developer. Learn the 'right' php from the start, it is MUCH easier now than later.