Sanitize input

Posted on 2010-08-19
Last Modified: 2012-05-10
Hi Experts.
Im working on some project and my obsession is to sanitize input data as much as possible.
Right now, Im using this to sanitize input data coming from login form.
Is there anything more to do to protect input data?
I cant see any security hole in this approach (particularly SQL injection and XSS attack).
What additional steps should I take when I need to sanitize input which can contain html data (like content of web page for example). Is this enough or do I need something more to do?
Thanks in advance.

	header("Content-Type: text/html; charset=UTF-8");
	//ini_set("display_errors", 1); 
	foreach ($_POST as $key => $value) {
		$$key = mysql_real_escape_string(stripslashes(htmlspecialchars(strip_tags($value))));
	foreach ($_GET as $key => $value) {
		$$key = mysql_real_escape_string(stripslashes(htmlspecialchars(strip_tags($value))));
	if( empty($_POST['token']) || $_POST['token'] != $_SESSION['token'] )
		header("Location: default.php?act=error");
	$valid_username = preg_match("/^[A-Za-z]\w{6,20}[A-Za-z_0-9]$/D",$username);
	$valid_password = preg_match("/^[A-Za-z]\w{6,20}[A-Za-z_0-9]$/D",$password);	
	if (!$valid_username || !$valid_password)
		header("Location: default.php?act=error");
	$password = SALT . $password;
	$password = sha1($password);
	$q = "SELECT * FROM administrators "
  	."WHERE username='" . $username . "' "
  	."AND password='". $password . "' "
  	."LIMIT 1";
 	$r = mysql_query($q);
	if ( $obj = @mysql_fetch_object($r) )
		// Login good, create session variables
		$_SESSION["nt_id_conn"] = $obj->idadministrator;
		$_SESSION["nt_id_username"] = $username;
		$_SESSION["nt_id_time"] = time();
		$_SESSION["nt_ip"] = $_SERVER["REMOTE_ADDR"];
		// Redirect to member page
		header("Location: main.php");
		// Login not successful
		header("Location: default.php?act=error");

Open in new window

Question by:R-Byter
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
LVL 14

Author Comment

ID: 33473260
Thanks for that links kalmax, there are very good info in that articles.
RIght now, Im trying to figure out if I covered everything.
For example if I try to put html as input data will I be protected with this:

foreach ($_POST as $key => $value) {
            $$key = mysql_real_escape_string(stripslashes(htmlspecialchars(strip_tags($value))));

I want to get to the point where I am certain of what I did already, so I can maybe change the way Im sanitizing input. In other words, If Im going to change something, I need to know what I did or what I am doing wrong.
LVL 14

Expert Comment

ID: 33473284

Escapes special characters in the unescaped_string, taking into account the current character set of the connection so that it is safe to place it in a mysql_query(). If binary data is to be inserted, this function must be used


Un-quotes a quoted string


Certain characters have special significance in HTML, and should be represented by HTML entities if they are to preserve their meanings. This function returns a string with some of these conversions made; the translations made are those most useful for everyday web programming. If you require all HTML character entities to be translated, use htmlentities() instead


This function tries to return a string with all NUL bytes, HTML and PHP tags stripped from a given str
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

LVL 14

Author Comment

ID: 33473694
Obviously, I need to remove strip_tags from my code when I need to accept HTML input data.
Right now, It seems that HTML purifier library is the best solution for removing potentially malicious code from input (allowing tags that are needed instead of restricting tags that arent needed).
LVL 110

Accepted Solution

Ray Paseur earned 500 total points
ID: 33474385
I would argue against doing this because it "mungs" the data:
$$key = mysql_real_escape_string(stripslashes(htmlspecialchars(strip_tags($value))));

Instead, here are the things I recommend.  First, learn about the built-in PHP filters.  Here is a link.

The filters are not perfect, but they are improving and are almost certainly more accurate than anything we can write ourselves (one of the benefits of open-source code: lots of eyes on the problem).

Next, adopt the philosophy, "Accept Only Known Good Values."  If you think an input should be a phone number, test for at least ten digits, does not start with zero, etc., and fail any input string that does not pass the tests.  Same with email addresses.  Postal addresses can be validated by feeding them to the Yahoo or Google Geocoder APIs - these will return a standardized address.  You might have some classes or functions that are directly associated with cleaning up the data.  I use a "clean string" function on fields that are not permitted to have anything but certain characters.

If you're expecting input from a human being, add a CAPTCHA image to the page.

Use mysql_real_escape_string() on every data field that is put into a data base.  It does no harm on numbers.  Just be sure to use it only once, or you may wind up with escaped data in the data base - not a catastrophe, but a common error.

When you echo output from your data base, send it through htmlentities() to avoid putting malicious code into your web site.

That's about it.  But the threats are always shifting.  Every couple of months you might want to do this search and read the top few articles, just to stay current.

best regards, ~Ray
LVL 14

Author Comment

ID: 33474605
Thanks Ray for this detailed explanation.
I am always "user input paranoid" :), and thats why Im trying o cover every single aspect of handling the input.
I will use filters cause they give me exactly what I want, allowed characters in a simpler way then regex for basic operations. Also, form what I read they seem to be more efficient then using regex patterns.
LVL 14

Author Closing Comment

ID: 33474611
Very detailed and good explanation
LVL 110

Expert Comment

by:Ray Paseur
ID: 33476704
You can't be too paranoid, and I agree that good filters are better than REGEX.  Thanks for the points - it's a great question. ~Ray

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to count occurrences of each item in an array.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question