Solved

Sanitize input

Posted on 2010-08-19
8
829 Views
Last Modified: 2012-05-10
Hi Experts.
Im working on some project and my obsession is to sanitize input data as much as possible.
Right now, Im using this to sanitize input data coming from login form.
Is there anything more to do to protect input data?
I cant see any security hole in this approach (particularly SQL injection and XSS attack).
What additional steps should I take when I need to sanitize input which can contain html data (like content of web page for example). Is this enough or do I need something more to do?
Thanks in advance.

<?php

	session_cache_expire(30);

	session_start();

	header("Content-Type: text/html; charset=UTF-8");

	session_regenerate_id(true);

	

	//error_reporting(E_ALL); 

	//ini_set("display_errors", 1); 

	

	require_once("_conn.php");

	

	foreach ($_POST as $key => $value) {

		$$key = mysql_real_escape_string(stripslashes(htmlspecialchars(strip_tags($value))));

	}

	

	foreach ($_GET as $key => $value) {

		$$key = mysql_real_escape_string(stripslashes(htmlspecialchars(strip_tags($value))));

	}

	

	if( empty($_POST['token']) || $_POST['token'] != $_SESSION['token'] )

		header("Location: default.php?act=error");

		

	$valid_username = preg_match("/^[A-Za-z]\w{6,20}[A-Za-z_0-9]$/D",$username);

	$valid_password = preg_match("/^[A-Za-z]\w{6,20}[A-Za-z_0-9]$/D",$password);	

	

	if (!$valid_username || !$valid_password)

	{

		header("Location: default.php?act=error");

	}

	

	$password = SALT . $password;

	$password = sha1($password);

		

	$q = "SELECT * FROM administrators "

  	."WHERE username='" . $username . "' "

  	."AND password='". $password . "' "

  	."LIMIT 1";

 	

 	$r = mysql_query($q);

	

	if ( $obj = @mysql_fetch_object($r) )

	{

		// Login good, create session variables

		$_SESSION["nt_id_conn"] = $obj->idadministrator;

		$_SESSION["nt_id_username"] = $username;

		$_SESSION["nt_id_time"] = time();

		$_SESSION["nt_ip"] = $_SERVER["REMOTE_ADDR"];

		

		// Redirect to member page

		header("Location: main.php");

	}

	else

	{

		// Login not successful

		header("Location: default.php?act=error");

	}

	

	//unset($_SESSION['token']);

	

	session_write_close();

?>

Open in new window

0
Comment
Question by:R-Byter
  • 4
  • 2
  • 2
8 Comments
 
LVL 14

Expert Comment

by:Kalpan
ID: 33473166
0
 
LVL 14

Author Comment

by:R-Byter
ID: 33473260
Thanks for that links kalmax, there are very good info in that articles.
RIght now, Im trying to figure out if I covered everything.
For example if I try to put html as input data will I be protected with this:

foreach ($_POST as $key => $value) {
            $$key = mysql_real_escape_string(stripslashes(htmlspecialchars(strip_tags($value))));
      }

I want to get to the point where I am certain of what I did already, so I can maybe change the way Im sanitizing input. In other words, If Im going to change something, I need to know what I did or what I am doing wrong.
Thanks.
0
 
LVL 14

Expert Comment

by:Kalpan
ID: 33473284
mysql_real_escape_string:

Escapes special characters in the unescaped_string, taking into account the current character set of the connection so that it is safe to place it in a mysql_query(). If binary data is to be inserted, this function must be used

stripslashes:

Un-quotes a quoted string

htmlspecialchars:

Certain characters have special significance in HTML, and should be represented by HTML entities if they are to preserve their meanings. This function returns a string with some of these conversions made; the translations made are those most useful for everyday web programming. If you require all HTML character entities to be translated, use htmlentities() instead

strip_tags

This function tries to return a string with all NUL bytes, HTML and PHP tags stripped from a given str
0
 
LVL 14

Author Comment

by:R-Byter
ID: 33473694
Obviously, I need to remove strip_tags from my code when I need to accept HTML input data.
Right now, It seems that HTML purifier library is the best solution for removing potentially malicious code from input (allowing tags that are needed instead of restricting tags that arent needed).
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 108

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 33474385
I would argue against doing this because it "mungs" the data:
$$key = mysql_real_escape_string(stripslashes(htmlspecialchars(strip_tags($value))));

Instead, here are the things I recommend.  First, learn about the built-in PHP filters.  Here is a link.
http://us3.php.net/manual/en/function.filter-var.php

The filters are not perfect, but they are improving and are almost certainly more accurate than anything we can write ourselves (one of the benefits of open-source code: lots of eyes on the problem).

Next, adopt the philosophy, "Accept Only Known Good Values."  If you think an input should be a phone number, test for at least ten digits, does not start with zero, etc., and fail any input string that does not pass the tests.  Same with email addresses.  Postal addresses can be validated by feeding them to the Yahoo or Google Geocoder APIs - these will return a standardized address.  You might have some classes or functions that are directly associated with cleaning up the data.  I use a "clean string" function on fields that are not permitted to have anything but certain characters.

If you're expecting input from a human being, add a CAPTCHA image to the page.

Use mysql_real_escape_string() on every data field that is put into a data base.  It does no harm on numbers.  Just be sure to use it only once, or you may wind up with escaped data in the data base - not a catastrophe, but a common error.

When you echo output from your data base, send it through htmlentities() to avoid putting malicious code into your web site.

That's about it.  But the threats are always shifting.  Every couple of months you might want to do this search and read the top few articles, just to stay current.
http://lmgtfy.com?q=php+security

best regards, ~Ray
0
 
LVL 14

Author Comment

by:R-Byter
ID: 33474605
Thanks Ray for this detailed explanation.
I am always "user input paranoid" :), and thats why Im trying o cover every single aspect of handling the input.
I will use filters cause they give me exactly what I want, allowed characters in a simpler way then regex for basic operations. Also, form what I read they seem to be more efficient then using regex patterns.
0
 
LVL 14

Author Closing Comment

by:R-Byter
ID: 33474611
Very detailed and good explanation
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 33476704
You can't be too paranoid, and I agree that good filters are better than REGEX.  Thanks for the points - it's a great question. ~Ray
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

As a database administrator, you may need to audit your table(s) to determine whether the data types are optimal for your real-world data needs.  This Article is intended to be a resource for such a task. Preface The other day, I was involved …
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now