Php form input security

How much checking of form input is needed (data is going into mysql database)?.
The form fields have lengths of input on the form
I use
preg_match to check names etc only have certain character input

FILTER_SANITIZE_SPECIAL_CHARS to again check unauthorised characters can be used

mysqli_real_escape_string again to check for unauthorised characters

Apart from that I used a php generated number on the fly the user need to enter to prevent multiple form uploads

Is it necessary to use all three checks?.
I would be happy for anyone to point me to a site where the merits or lack of and or comparisons between them is discussed

For inserting into database to a text field no checking is needed at all. The only thing I would check is the string length, if it’s very long it can generate very long queries and put some stress on the server, however nothing serious should happen. When mysql is running in strict mode it will throw errors when you try to insert a string that is longer than the db field allows, otherwise it will be truncated.

The form fields have lengths of input on the form

Think of them only as a usability enhancers but don’t trust them. Check for length in php.

I use
preg_match to check names etc only have certain character input

This doesn’t have anything to do with inserting into the db, but of course it’s worth doing it depending on the type of field. Actually, it’s a good idea to validate all the necessary fields but you need to treat each field individually depending on it’s purpose.

FILTER_SANITIZE_SPECIAL_CHARS to again check unauthorised characters can be used

No - escaping characters should not be done before inserting data to db but when retrieving, based on the target medium. In the future you might want to use your data for other purposes than sending to the browser as html (for example sending in a mail message, creating a pdf or even sending it to the browser as javascript). Also, string manipulations are much harder on escaped data, you would need to unescape them first. Always escape before sending data to the target medium - in this case in your html template.

mysqli_real_escape_string again to check for unauthorised characters

You should use this function for all string inserts - it doesn’t check for anything but escapes all characters so that they can be inserted accurately and safely.

Apart from that I used a php generated number on the fly the user need to enter to prevent multiple form uploads

This is one of the techniques to prevent multiple submissions, a generated number is fine.

Quite often I use trim() on text fields before inserting into db - not really a security check but it gets rid of unwanted spaces that can appear unknowingly.

The data validation I routinely do includes

1. validate all user inputs against a list of valid characters for that type of input. (eg first name, last name, address, email address etc etc)

2. use mysql_real_escape_string() to escape all inputs to a database query.

It can be quite difficult to get your mind around these issues, in which case I would commend you to search for “Filter Input Escape Output” or FIEO.

Once you have chased this issue down it will stay with you and form the bedrock of your security woes such as form validation techniques.

I’d give you a link but to be honest I have never really found one single tutorial which deals with it adequately - it is a matter of searching and reading.

I learned the importance of this when swotting for my ZCE exam, in the Certification Guide first of all, and then as I say by searching for FIEO.

(if anyone can recommend a tutorial on this, then please go ahead)

I really enjoyed reading some of Chris Shiflett’s articles.

Try this too:-

http://www.google.com/search?as_q=FIEO&as_sitesearch=shiflett.org

[thanks for the replies It appears there are conflicting views on the rights and wrongs I obviously have a lot more reading and have taken notes on your suggested sites
I am new to this forum and incidently to php Iam very pleased and surprised at the quick responce

In this article he presents this code sample:

function _write($id, $data)
{
    global $_sess_db;
 
    $access = time();
 
    $id = mysql_real_escape_string($id);
    $access = mysql_real_escape_string($access);
    $data = mysql_real_escape_string($data);
 
    $sql = "REPLACE
            INTO    sessions
            VALUES  ('$id', '$access', '$data')";
 
    return mysql_query($sql, $_sess_db);
}

He escapes the result of the time() function, which is too extreme in my opinion - is there a need to protect against php itself? If I was writing a plain sql query I would not hesitate to insert this value straight from time(). Of course, if using db access methods that do the escaping (like PDO prepared statements) this does not apply.

Other than that the articles are a good read, however a bit oldish.

I routinely sanitise every input into a sql query because you never know which entry point a hacker, who knows what he/she is doing, could use to inject malicious sql into your query.

Maybe it’s over kill, but I’d rather have peace of mind at the expense of a tiny number of extra characters in my code.