Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Sanitize input

Posted on 2010-08-19
Medium Priority
Last Modified: 2012-05-10
Hi Experts.
Im working on some project and my obsession is to sanitize input data as much as possible.
Right now, Im using this to sanitize input data coming from login form.
Is there anything more to do to protect input data?
I cant see any security hole in this approach (particularly SQL injection and XSS attack).
What additional steps should I take when I need to sanitize input which can contain html data (like content of web page for example). Is this enough or do I need something more to do?
Thanks in advance.

	header("Content-Type: text/html; charset=UTF-8");
	//ini_set("display_errors", 1); 
	foreach ($_POST as $key => $value) {
		$$key = mysql_real_escape_string(stripslashes(htmlspecialchars(strip_tags($value))));
	foreach ($_GET as $key => $value) {
		$$key = mysql_real_escape_string(stripslashes(htmlspecialchars(strip_tags($value))));
	if( empty($_POST['token']) || $_POST['token'] != $_SESSION['token'] )
		header("Location: default.php?act=error");
	$valid_username = preg_match("/^[A-Za-z]\w{6,20}[A-Za-z_0-9]$/D",$username);
	$valid_password = preg_match("/^[A-Za-z]\w{6,20}[A-Za-z_0-9]$/D",$password);	
	if (!$valid_username || !$valid_password)
		header("Location: default.php?act=error");
	$password = SALT . $password;
	$password = sha1($password);
	$q = "SELECT * FROM administrators "
  	."WHERE username='" . $username . "' "
  	."AND password='". $password . "' "
  	."LIMIT 1";
 	$r = mysql_query($q);
	if ( $obj = @mysql_fetch_object($r) )
		// Login good, create session variables
		$_SESSION["nt_id_conn"] = $obj->idadministrator;
		$_SESSION["nt_id_username"] = $username;
		$_SESSION["nt_id_time"] = time();
		$_SESSION["nt_ip"] = $_SERVER["REMOTE_ADDR"];
		// Redirect to member page
		header("Location: main.php");
		// Login not successful
		header("Location: default.php?act=error");

Open in new window

Question by:R-Byter
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
LVL 14

Author Comment

ID: 33473260
Thanks for that links kalmax, there are very good info in that articles.
RIght now, Im trying to figure out if I covered everything.
For example if I try to put html as input data will I be protected with this:

foreach ($_POST as $key => $value) {
            $$key = mysql_real_escape_string(stripslashes(htmlspecialchars(strip_tags($value))));

I want to get to the point where I am certain of what I did already, so I can maybe change the way Im sanitizing input. In other words, If Im going to change something, I need to know what I did or what I am doing wrong.
LVL 14

Expert Comment

ID: 33473284

Escapes special characters in the unescaped_string, taking into account the current character set of the connection so that it is safe to place it in a mysql_query(). If binary data is to be inserted, this function must be used


Un-quotes a quoted string


Certain characters have special significance in HTML, and should be represented by HTML entities if they are to preserve their meanings. This function returns a string with some of these conversions made; the translations made are those most useful for everyday web programming. If you require all HTML character entities to be translated, use htmlentities() instead


This function tries to return a string with all NUL bytes, HTML and PHP tags stripped from a given str
Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

LVL 14

Author Comment

ID: 33473694
Obviously, I need to remove strip_tags from my code when I need to accept HTML input data.
Right now, It seems that HTML purifier library is the best solution for removing potentially malicious code from input (allowing tags that are needed instead of restricting tags that arent needed).
LVL 111

Accepted Solution

Ray Paseur earned 2000 total points
ID: 33474385
I would argue against doing this because it "mungs" the data:
$$key = mysql_real_escape_string(stripslashes(htmlspecialchars(strip_tags($value))));

Instead, here are the things I recommend.  First, learn about the built-in PHP filters.  Here is a link.

The filters are not perfect, but they are improving and are almost certainly more accurate than anything we can write ourselves (one of the benefits of open-source code: lots of eyes on the problem).

Next, adopt the philosophy, "Accept Only Known Good Values."  If you think an input should be a phone number, test for at least ten digits, does not start with zero, etc., and fail any input string that does not pass the tests.  Same with email addresses.  Postal addresses can be validated by feeding them to the Yahoo or Google Geocoder APIs - these will return a standardized address.  You might have some classes or functions that are directly associated with cleaning up the data.  I use a "clean string" function on fields that are not permitted to have anything but certain characters.

If you're expecting input from a human being, add a CAPTCHA image to the page.

Use mysql_real_escape_string() on every data field that is put into a data base.  It does no harm on numbers.  Just be sure to use it only once, or you may wind up with escaped data in the data base - not a catastrophe, but a common error.

When you echo output from your data base, send it through htmlentities() to avoid putting malicious code into your web site.

That's about it.  But the threats are always shifting.  Every couple of months you might want to do this search and read the top few articles, just to stay current.

best regards, ~Ray
LVL 14

Author Comment

ID: 33474605
Thanks Ray for this detailed explanation.
I am always "user input paranoid" :), and thats why Im trying o cover every single aspect of handling the input.
I will use filters cause they give me exactly what I want, allowed characters in a simpler way then regex for basic operations. Also, form what I read they seem to be more efficient then using regex patterns.
LVL 14

Author Closing Comment

ID: 33474611
Very detailed and good explanation
LVL 111

Expert Comment

by:Ray Paseur
ID: 33476704
You can't be too paranoid, and I agree that good filters are better than REGEX.  Thanks for the points - it's a great question. ~Ray

Featured Post

Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Containers like Docker and Rocket are getting more popular every day. In my conversations with customers, they consistently ask what containers are and how they can use them in their environment. If you’re as curious as most people, read on. . .
Backups and Disaster RecoveryIn this post, we’ll look at strategies for backups and disaster recovery.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…

660 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question