Avatar of Robert Granlund
Robert Granlund
Flag for United States of America asked on

PHP PDO Sanatize user input

What is the best way to sanitize user input?
	// Check for a State:
	if (empty($_POST['state'])) {
		$errors[] = 'You forgot to enter a state.';
	} else {
		$st = mysql_real_escape_string($_POST['state']);

Open in new window


Avatar of undefined
Last Comment
Ray Paseur

8/22/2022 - Mon
Ray Paseur

Ray Paseur

Oh, nevermind - now I get it.

The mantra is "accept only known good values."  This should obviously not be restated as "exclude all known bad values" because there are more bad values than you can think of, and if you approach security from the wrong end of the gun, well, it will not end in a way you enjoy.

All external data must be considered tainted and treated as an attack vector.

The escape_string() are used to make the data safe for use in a query string.  But that really does nothing to sanitize the input.  You would still want to check the basics.  For example, if your script is going to rely on a state abbreviation, one obvious check would be to see that the input was a string, two characters in length, and that it matched one of the standard state abbreviations.  If you expect a person's name, you might have a regular expression that kept only the letters of the alphabet, along with the comma, dot and hyphen.  Things like that are important.

On the outbound side, if your script echoes any browser output that was received from an external source, use htmlentities() or htmlspecialchars() to prevent your site from becoming an attack vector.

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Ray Paseur

@rgranlund, I'm concerned that you're missing the point here.  PDO does not sanitize input.  Your own PHP script must sanitize the input.  There is a big difference between making a query string that can work correctly and having the right data in the data base after the query has been run.

PHP has functions that we use to sanitize input.  This is what you should be looking at:

And I really urge you to take a moment and read the article linked above.  It will answer your questions about how to use the various MySQL extensions.  The reason I wrote it is because I grew weary of answering this sort of question over and over -- it's such a common question, and so commonly misunderstood, that it needed to be explained in some detail.  The article does that, with tested and working code samples showing, in parallel construction, exactly how to work with MySQL, MySQLi, PDO, and MySQLi with prepared statements.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck