1

I am trying to figure out which functions are best to use in different cases when inputting data, as well as outputting data.

When I allow a user to input data into MySQL what is the best way to secure the data to prevent SQL injections and or any other type of injections or hacks someone could attempt?

When I output the data as regular html from the database what is the best way to do this so scripts and such cannot be run?

At the moment I basically only use 

mysql_real_escape_string();

before inputting the data to the database, this seems to work fine, but I would like to know if this is all I need to do, or if some other method is better.

And at the moment I use 

stripslashes(nl2br(htmlentities()))

(most of the time anyways) for outputting data. I find these work fine for what I usually use them for, however I have run into a problem with htmlentities, I want to be able to have some html tags output respectively, for example:

<ul></ul><li></li><bold></bold>

etc, but I can't.

any help would be great, thanks.

Improve this question
2
  • You might want to check out bobby-tables.com Commented Aug 10, 2012 at 0:00
  • Thanks, but yeah I have looked at that before and it doesn't really make much sense to me. :\ Commented Aug 10, 2012 at 0:05

3 Answers 3

Reset to default
3

I agree with mikikg that you need to understand SQL injection and XSS vulnerabilities before you can try to secure applications against these types of problems.

However, I disagree with his assertions to use regular expressions to validate user input as a SQL injection preventer. Yes, do validate user input insofar as you can. But don't rely on this to prevent injections, because hackers break these kinds of filters quite often. Also, don't be too strict with your filters -- plenty of websites won't let me log in because there's an apostrophe in my name, and let me tell you, it's a pain in the a** when this happens.

There are two kinds of security problems you mention in your question. The first is a SQL injection. This vulnerability is a "solved problem." That is, if you use parameterized queries, and never pass user supplied data in as anything but a parameter, the database is going to do the "right thing" for you, no matter what happens. For many databases, if you use parameterized queries, there's no chance of injection because the data isn't actually sent embedded in the SQL -- the data is passed unescaped in a length prefixed or similar blob along the wire. This is considerably more performant than database escape functions, and can be safer. (Note: if you use stored procedures that generate dynamic SQL on the database, they might also have injection problems!)

The second problem you mention is the cross site scripting problem. If you want to allow the user to supply HTML without entity escaping it first, this problem is an open research question. Suffice to say that if you allow the user to pass some kinds of HTML, it's entirely likely that your system will suffer an XSS problem at some point to a determined attacker. Now, the state of the art for this problem is to "filter" the data on the server, using libraries like HTMLPurifier. Attackers can and do break these filters on a regular basis; but as of yet nobody has found a better way of protecting the application from these kinds of things. You may be better off only allowing a specific whitelist of HTML tags, and entity encoding anything else.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

This is one of the most problematic task today :)

You need to know how SQL injection and other attackers methods works. There are very detailed explanation of each method in https://www.owasp.org/index.php/Main_Page and also whole security framework for PHP.

Using specific security libraries from some framework are also good choice like in CodeIgniter or Zend.

Next, use REGEXP as much as you can and stick pattern rules to specific input format.

Use prepared statements or active records class of your framework.

Always cast your input with (int)$_GET['myvar'] if you really need numeric values.

There are so many other rules and methods to secure your application, but one golden rule is "never trust user's input".

Improve this answer

1 Comment

No! Do not validate user input using regular expressions as a SQL injection preventer. People will find ways to break your filters, or exploit bugs in regular expression engines. Use escaping (yuck) or parameratized queries (yay) to prevent this sort of attack; that's what these are designed for. Note that you didn't address the XSS part of the user's question.
0

In your php configuration, magic_quotes_gpc should be off. So you won't need stripslashes.

For SQL, take a look at PDO's prepared statements.

And for your custom tags, as there are only three of them, you can do a preg_replace call after the call of htmlentities to convert those back before your insert them into the database.

Improve this answer

2 Comments

Thanks for your answer, as far as magic_quotes_gpc and stripslashes, I need stripslashes because I use jQuery Serialize when submitting my forms, so apparently that does the same thing as magic_quotes.
@Dylan: Then you should be doing stripslashes before the data goes into the database. The content in the database should never have presentation layer considerations (like stripslashes) applied to it -- you never know if you're going to use the same data in something that's not an HTML page somewhere down the line, and trying to do this everywhere is a pain in the neck.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.