[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 846
  • Last Modified:

Sanitize input

Hi Experts.
Im working on some project and my obsession is to sanitize input data as much as possible.
Right now, Im using this to sanitize input data coming from login form.
Is there anything more to do to protect input data?
I cant see any security hole in this approach (particularly SQL injection and XSS attack).
What additional steps should I take when I need to sanitize input which can contain html data (like content of web page for example). Is this enough or do I need something more to do?
Thanks in advance.

<?php
	session_cache_expire(30);
	session_start();
	header("Content-Type: text/html; charset=UTF-8");
	session_regenerate_id(true);
	
	//error_reporting(E_ALL); 
	//ini_set("display_errors", 1); 
	
	require_once("_conn.php");
	
	foreach ($_POST as $key => $value) {
		$$key = mysql_real_escape_string(stripslashes(htmlspecialchars(strip_tags($value))));
	}
	
	foreach ($_GET as $key => $value) {
		$$key = mysql_real_escape_string(stripslashes(htmlspecialchars(strip_tags($value))));
	}
	
	if( empty($_POST['token']) || $_POST['token'] != $_SESSION['token'] )
		header("Location: default.php?act=error");
		
	$valid_username = preg_match("/^[A-Za-z]\w{6,20}[A-Za-z_0-9]$/D",$username);
	$valid_password = preg_match("/^[A-Za-z]\w{6,20}[A-Za-z_0-9]$/D",$password);	
	
	if (!$valid_username || !$valid_password)
	{
		header("Location: default.php?act=error");
	}
	
	$password = SALT . $password;
	$password = sha1($password);
		
	$q = "SELECT * FROM administrators "
  	."WHERE username='" . $username . "' "
  	."AND password='". $password . "' "
  	."LIMIT 1";
 	
 	$r = mysql_query($q);
	
	if ( $obj = @mysql_fetch_object($r) )
	{
		// Login good, create session variables
		$_SESSION["nt_id_conn"] = $obj->idadministrator;
		$_SESSION["nt_id_username"] = $username;
		$_SESSION["nt_id_time"] = time();
		$_SESSION["nt_ip"] = $_SERVER["REMOTE_ADDR"];
		
		// Redirect to member page
		header("Location: main.php");
	}
	else
	{
		// Login not successful
		header("Location: default.php?act=error");
	}
	
	//unset($_SESSION['token']);
	
	session_write_close();
?>

Open in new window

0
R-Byter
Asked:
R-Byter
  • 4
  • 2
  • 2
1 Solution
 
R-ByterAuthor Commented:
Thanks for that links kalmax, there are very good info in that articles.
RIght now, Im trying to figure out if I covered everything.
For example if I try to put html as input data will I be protected with this:

foreach ($_POST as $key => $value) {
            $$key = mysql_real_escape_string(stripslashes(htmlspecialchars(strip_tags($value))));
      }

I want to get to the point where I am certain of what I did already, so I can maybe change the way Im sanitizing input. In other words, If Im going to change something, I need to know what I did or what I am doing wrong.
Thanks.
0
 
KalpanCommented:
mysql_real_escape_string:

Escapes special characters in the unescaped_string, taking into account the current character set of the connection so that it is safe to place it in a mysql_query(). If binary data is to be inserted, this function must be used

stripslashes:

Un-quotes a quoted string

htmlspecialchars:

Certain characters have special significance in HTML, and should be represented by HTML entities if they are to preserve their meanings. This function returns a string with some of these conversions made; the translations made are those most useful for everyday web programming. If you require all HTML character entities to be translated, use htmlentities() instead

strip_tags

This function tries to return a string with all NUL bytes, HTML and PHP tags stripped from a given str
0
Take Control of Web Hosting For Your Clients

As a web developer or IT admin, successfully managing multiple client accounts can be challenging. In this webinar we will look at the tools provided by Media Temple and Plesk to make managing your clients’ hosting easier.

 
R-ByterAuthor Commented:
Obviously, I need to remove strip_tags from my code when I need to accept HTML input data.
Right now, It seems that HTML purifier library is the best solution for removing potentially malicious code from input (allowing tags that are needed instead of restricting tags that arent needed).
0
 
Ray PaseurCommented:
I would argue against doing this because it "mungs" the data:
$$key = mysql_real_escape_string(stripslashes(htmlspecialchars(strip_tags($value))));

Instead, here are the things I recommend.  First, learn about the built-in PHP filters.  Here is a link.
http://us3.php.net/manual/en/function.filter-var.php

The filters are not perfect, but they are improving and are almost certainly more accurate than anything we can write ourselves (one of the benefits of open-source code: lots of eyes on the problem).

Next, adopt the philosophy, "Accept Only Known Good Values."  If you think an input should be a phone number, test for at least ten digits, does not start with zero, etc., and fail any input string that does not pass the tests.  Same with email addresses.  Postal addresses can be validated by feeding them to the Yahoo or Google Geocoder APIs - these will return a standardized address.  You might have some classes or functions that are directly associated with cleaning up the data.  I use a "clean string" function on fields that are not permitted to have anything but certain characters.

If you're expecting input from a human being, add a CAPTCHA image to the page.

Use mysql_real_escape_string() on every data field that is put into a data base.  It does no harm on numbers.  Just be sure to use it only once, or you may wind up with escaped data in the data base - not a catastrophe, but a common error.

When you echo output from your data base, send it through htmlentities() to avoid putting malicious code into your web site.

That's about it.  But the threats are always shifting.  Every couple of months you might want to do this search and read the top few articles, just to stay current.
http://lmgtfy.com?q=php+security

best regards, ~Ray
0
 
R-ByterAuthor Commented:
Thanks Ray for this detailed explanation.
I am always "user input paranoid" :), and thats why Im trying o cover every single aspect of handling the input.
I will use filters cause they give me exactly what I want, allowed characters in a simpler way then regex for basic operations. Also, form what I read they seem to be more efficient then using regex patterns.
0
 
R-ByterAuthor Commented:
Very detailed and good explanation
0
 
Ray PaseurCommented:
You can't be too paranoid, and I agree that good filters are better than REGEX.  Thanks for the points - it's a great question. ~Ray
0

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

  • 4
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now