1

Im just working on imrpoving the secuity of my system before it goes live. So im adding a function to validate input data. I found this here on the w3c webseite as i did some research on whats the best way.

function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}

As most stuff is Safed in a Database I also require a MySql Escape Which i already had implemented. Now i would like to merge this and i just wonder in which order I run through those steps. It sure makes sense to trim first but following that? Im specialy not sure abot stripslashes and MySql Escape as its kind of reversing itself?

It would be nice if somone with more Experience could shine some light on it for me!

Edit 1: What is about Numeric Inputs - Is it 'enough' to test with is_numeric()?

Improve this question
2
  • Dont use mysql_ functions anymore. Use mysqli functions or PDO functions. Then use parameterized queries. Commented Nov 28, 2015 at 6:30
  • @chris85 Ok I was thinking about it earlier but I might reconsider it as it seems to be the future as i just seen it is going to be removed in PHP 7 Commented Nov 28, 2015 at 7:00

1 Answer 1

Reset to default
0

You are correct to validate your data. However without knowing what the purpose of the data is, it's impossible to advise on how to validate it. Validation & input security is about applying principles properly rather than any one specific set of code that fixes all potential issues. If it was that easy then SQL injection would not be top of the OWASP top 10.

What you must do is always ensure the data matches what you expect. For example a text string in a numeric field could cause your code to do unexpected things. PHP has many functions that can be used for validation. is_numeric, strlen and preg_match - regular expressions are great for validating dates, zip codes and a host of other input.

I'm not sure why you are using stripslashes, esp. when talking about database queries. It was once common to see addslashes in use, so much so that PHP had magicquotes to automatically addslashes on all input. It's worth reading those pages of the manual as they cover the issues of blanket changing all input very well.

The 2nd thing to do is decide how you want to handle input that does not match expectations. It may be worth logging the errors so you can resolve any issues with your front end code. Are you going to let the user know that there was a problem with the input?

Final thought on your question, you are asking about validating the input, but stripslashes and htmlspecialchars both modify the input as well. This can create issues later on, for example if you happen to want slashes in your input data for some use cases or the input is an image and not text.

Have different validation for different input types. Keep the encoding/escaping code to use when required. E.g. mysqli->real_escape_string before db inserts and htmlspecialchars before using the data in xhtml output.

Read around the issue, learn the OWASP top 10, ask on S.O. if you are struggling on a particular input scenario. Apply the lessons and the monitor your application in the real world. Don't just assume it will be secure and you will go a long way to avoiding the pain & embarrassment of fixing a hacked system.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.