Go Premium for a chance to win a PS4. Enter to Win


Sanitize input

Posted on 2010-08-19
Medium Priority
Last Modified: 2012-05-10
Hi Experts.
Im working on some project and my obsession is to sanitize input data as much as possible.
Right now, Im using this to sanitize input data coming from login form.
Is there anything more to do to protect input data?
I cant see any security hole in this approach (particularly SQL injection and XSS attack).
What additional steps should I take when I need to sanitize input which can contain html data (like content of web page for example). Is this enough or do I need something more to do?
Thanks in advance.

	header("Content-Type: text/html; charset=UTF-8");
	//ini_set("display_errors", 1); 
	foreach ($_POST as $key => $value) {
		$$key = mysql_real_escape_string(stripslashes(htmlspecialchars(strip_tags($value))));
	foreach ($_GET as $key => $value) {
		$$key = mysql_real_escape_string(stripslashes(htmlspecialchars(strip_tags($value))));
	if( empty($_POST['token']) || $_POST['token'] != $_SESSION['token'] )
		header("Location: default.php?act=error");
	$valid_username = preg_match("/^[A-Za-z]\w{6,20}[A-Za-z_0-9]$/D",$username);
	$valid_password = preg_match("/^[A-Za-z]\w{6,20}[A-Za-z_0-9]$/D",$password);	
	if (!$valid_username || !$valid_password)
		header("Location: default.php?act=error");
	$password = SALT . $password;
	$password = sha1($password);
	$q = "SELECT * FROM administrators "
  	."WHERE username='" . $username . "' "
  	."AND password='". $password . "' "
  	."LIMIT 1";
 	$r = mysql_query($q);
	if ( $obj = @mysql_fetch_object($r) )
		// Login good, create session variables
		$_SESSION["nt_id_conn"] = $obj->idadministrator;
		$_SESSION["nt_id_username"] = $username;
		$_SESSION["nt_id_time"] = time();
		$_SESSION["nt_ip"] = $_SERVER["REMOTE_ADDR"];
		// Redirect to member page
		header("Location: main.php");
		// Login not successful
		header("Location: default.php?act=error");

Open in new window

Question by:R-Byter
  • 4
  • 2
  • 2
LVL 14

Author Comment

ID: 33473260
Thanks for that links kalmax, there are very good info in that articles.
RIght now, Im trying to figure out if I covered everything.
For example if I try to put html as input data will I be protected with this:

foreach ($_POST as $key => $value) {
            $$key = mysql_real_escape_string(stripslashes(htmlspecialchars(strip_tags($value))));

I want to get to the point where I am certain of what I did already, so I can maybe change the way Im sanitizing input. In other words, If Im going to change something, I need to know what I did or what I am doing wrong.
LVL 14

Expert Comment

ID: 33473284

Escapes special characters in the unescaped_string, taking into account the current character set of the connection so that it is safe to place it in a mysql_query(). If binary data is to be inserted, this function must be used


Un-quotes a quoted string


Certain characters have special significance in HTML, and should be represented by HTML entities if they are to preserve their meanings. This function returns a string with some of these conversions made; the translations made are those most useful for everyday web programming. If you require all HTML character entities to be translated, use htmlentities() instead


This function tries to return a string with all NUL bytes, HTML and PHP tags stripped from a given str
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

LVL 14

Author Comment

ID: 33473694
Obviously, I need to remove strip_tags from my code when I need to accept HTML input data.
Right now, It seems that HTML purifier library is the best solution for removing potentially malicious code from input (allowing tags that are needed instead of restricting tags that arent needed).
LVL 111

Accepted Solution

Ray Paseur earned 2000 total points
ID: 33474385
I would argue against doing this because it "mungs" the data:
$$key = mysql_real_escape_string(stripslashes(htmlspecialchars(strip_tags($value))));

Instead, here are the things I recommend.  First, learn about the built-in PHP filters.  Here is a link.

The filters are not perfect, but they are improving and are almost certainly more accurate than anything we can write ourselves (one of the benefits of open-source code: lots of eyes on the problem).

Next, adopt the philosophy, "Accept Only Known Good Values."  If you think an input should be a phone number, test for at least ten digits, does not start with zero, etc., and fail any input string that does not pass the tests.  Same with email addresses.  Postal addresses can be validated by feeding them to the Yahoo or Google Geocoder APIs - these will return a standardized address.  You might have some classes or functions that are directly associated with cleaning up the data.  I use a "clean string" function on fields that are not permitted to have anything but certain characters.

If you're expecting input from a human being, add a CAPTCHA image to the page.

Use mysql_real_escape_string() on every data field that is put into a data base.  It does no harm on numbers.  Just be sure to use it only once, or you may wind up with escaped data in the data base - not a catastrophe, but a common error.

When you echo output from your data base, send it through htmlentities() to avoid putting malicious code into your web site.

That's about it.  But the threats are always shifting.  Every couple of months you might want to do this search and read the top few articles, just to stay current.

best regards, ~Ray
LVL 14

Author Comment

ID: 33474605
Thanks Ray for this detailed explanation.
I am always "user input paranoid" :), and thats why Im trying o cover every single aspect of handling the input.
I will use filters cause they give me exactly what I want, allowed characters in a simpler way then regex for basic operations. Also, form what I read they seem to be more efficient then using regex patterns.
LVL 14

Author Closing Comment

ID: 33474611
Very detailed and good explanation
LVL 111

Expert Comment

by:Ray Paseur
ID: 33476704
You can't be too paranoid, and I agree that good filters are better than REGEX.  Thanks for the points - it's a great question. ~Ray

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This post looks at MongoDB and MySQL, and covers high-level MongoDB strengths, weaknesses, features, and uses from the perspective of an SQL user.
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question