Handling Input and Output
Due to the demise of magic quotes, we need to change how we approach and handle global values from places such as $_GET and $_POST.
Here’s what we’re going to be looking at:
[list=1][]Getting the values
[]Disabling magic quotes
[]Handling values
[]Protect the database
[*]Output to the page[/list]
1. Getting the values
You can use one of the two following sets of code to retrieve a value:
// retrieve a value without filter_input
$email = '';
if (isset($_GET['email'])) {
$email = $_GET['email'];
}
// filter_input can be used from PHP 5.2 onwards
$email = filter_input(INPUT_GET, 'email');
The benefit of using filter_input is that you can also apply [url=“http://www.php.net/manual/en/filter.filters.php”]filters to the values. For example, with an email address there is the FILTER_SANITIZE_EMAIL filter, which removes all characters except letters, digits and !#$%&'*±/=?^_`{|}~@..
$email = filter_input(INPUT_GET, 'email', FILTER_SANITIZE_EMAIL);
2. Disabling magic quotes
None of the above yet protects your code from potentially malicious input. Up to PHP 5.3 it’s magic quotes that attempted to provide the protection, but they were flawed. The slashes that magic quotes added, are normally stripped out in favour of using mysql_real_escape_string or prepared statements, which provide better protection. As of PHP 5.3 the magic quotes are officially deprecated. In PHP 6.0 they won’t exist at all. This means changing your mindset so that the code you write now, will have a better chance to be issue-free later on.
We now need to approach our code with the assumption that magic quotes are no longer active. If they just-so-happen to be enabled, you can remove the added slashes from the values so that you don’t run the risk of double-escaping the values. Also, if your code is going to be run in an unknown environment, you can apply added protection so that it still works as-per-normal, or even dies with an appropriate error message.
if (get_magic_quotes_gpc()) {
$email = stripslashes($email);
}
If you don’t want to perform such checks for each variable, you can instead exit out of your code stating that “no magic quotes” is a requirement for your code. That way you can ensure that your code only runs in an environment that doesn’t have magic quotes.
When it comes to disabling magic quotes, there are many techniques available. My favourite being to disable them completely at the server.
The preferred order of preference for disabling magic quotes is:
PHP 5.2 PHP 5.3 PHP 6.0
php ini settings 1 N/A N/A
.htaccess 2 1 N/A
runtime code 3 2 N/A
3. Handling values
The values that you now have must still be considered to be untrusted, and potentially dangerous. When these values are passed to the database they may contain attempted SQL Injection code, and when passed to the web page they may contain XSS code. Your code needs to now treat them as untrusted values, as they came from an untrusted source, the user. This is not to say that they will contain bad values. It’s only to say that there exists the potential for bad values.
While there are some ways to protect against bad values when getting input values, the only effective way to provide proper protection is to make sure that the values are safe during the output process, whether that be to the database, the web page, or other places like email, XML, files, url, etc.
4. Protect the database
[RULE=50%]Red[/RULE]
[RULE=60%]Red[/RULE]
[CENTER]As of PHP version 5.5 the MySQL functions have been Deprecated and should no longer be used.
all mysql_ functions
http://php.net/manual/en/migration55.deprecated.php
ext/mysql deprecation
The original MySQL extension is now deprecated, and will generate E_DEPRECATED errors when connecting to a database. Instead, use the MySQLi or PDO_MySQL extensions.
[/CENTER]
[RULE=60%]Red[/RULE]
[RULE=50%]Red[/RULE]
Sending values to the database is fraught with issues, but if you ensure that your database values are escaped only once, you should be safe. The appropriate ways to do that are to use mysql_real_escape_string at the database query itself, as in the example on the mysql_real_escape_string documentation page, or by using prepared statements with for example, [url=“http://www.php.net/manual/en/mysqli.prepare.php”]mysqli_prepare.
5. Output to the page
Functions such as htmlspecialchars and [url=“http://www.php.net/manual/en/mysqli.prepare.php”]htmlentities are useful for outputting values to the page. The former only converts ampersands, double quotes and angled brackets, which provides a useful minimum of protection. The latter function converts every single character that has an html entity equivalent, which can sometimes be considered to be too heavy-handed.
echo 'An email has been sent to you at ' .
'<strong>' . htmlspecialchars($email) . '</strong>';