Hi Guys,
I’m in the middle of creating a PHP system and i have already protected the system from MySQL Injection, is there anything else i can do to help protect it and if so are there any examples?
Thanks guys!
Hy,
I use:
$_POST = array_map("strip_tags", $_POST);
$_POST = array_map("trim", $_POST);
Then mysql_real_escape_string()
The principles are encapsulated in the term FIEO (Filter input, escape output).
Filter input check what is being sent to you against what you expect it to be.
eg imagine this contrived input, a GET request from a form the user filled in.
?edit=yes&id=12
// leaving aside the isset() checks for brevity
if ( !in_array($_GET['edit'], array('yes', 'no')) || (int)$_GET['id'] === 0 ){
// fail, abort, logout or send away
}
// get on with processing
In pseudo code
if $edit is not found in the white-list 'yes' or 'no'
OR
when I typecast id into an integer, and that returns zero
Then this simple filter has detected failure. Stop processing, send away.
The incoming data did not fit your expectations as you filtered it.
Another popular filter would be something which checks that an email address follows the exact pattern of characters that an email must fit within.
It does not mean the email address exists, of course.
nb You may well have already done these checks in Javascript, but that is a usability issue, not a security check - you always have to re-check when the stuff arrives on your server.
Yes, even hidden fields in your form.
Escape output in simple terms means protect the next environment you are sending this variable to so that it does not damage it.
The steps you took to protect yourself from sql-injection are an example of just this (hopefully).
Protecting users from XSS attacks are examples of escaping for the next environment where the next environment is a webpage.