Goal:
Properly sanitize all inputs from text boxes before entering into DB, which is then
output to a page. For my use case, I need to prevent potential problems while not
eliminating the data input. Also, the charset is explicitly set to UTF-8 in both the
HTTP header and the META tag to prevent problems with malformed encoding. The DB is also
set to UTF-8.
Specs: PHP, MySQL,
Apache
Sample
Code:
function
secureinput($input)
{
$input = htmlspecialchars($input, ENT_QUOTES
,'UTF-8');
$input = strip_tags($input); //fail-safe for anything that gets
through
$input = mysql_real_escape_string($input);
return $input;
}
Question:
What vectors of attack (XSS, SQL Injection, etc.) is this still vulnerable
to?
A huge thanks to anyone who can help. This
is my first time posting, though I've always turned to SO first for looking up answers
to my questions. Unfortunately, this time I couldn't find any other questions that
answered my problem, only small parts of it.
XSS
Attacks
By using htmlspecialchars() whenever
you output user-inputted content, you can ensure you will be safe from XSS
attacks.
SQL
Injection
Steve Friedl provides some examples
of SQL Injections and limitations of input sanitization on his website:
rel="nofollow">http://www.unixwiz.net/techtips/sql-injection.html
Even
though your code may be secure from
SQL injection attacks with mysql_real_escape_string(), you are better off using
parameterized SQL and eliminating the risk of SQL injection altogether. You will also be
much more secure if you use PDO or mysqli in PHP instead of the deprecated mysql
functions.
No comments:
Post a Comment