$_POST to $_SESSION - Escaping to prevent MySQL Injections

I want to take a $_POST value and chuck it into a $_SESSION variable so information can be temporarily retained until the next $_POST is made.  The values being grabbed from the $_POST are going to be variables sent to MySQL queries.

What is the best way to approach escaping the individual keys in the $_POST without doing them one by one?  Would something like mysql_escape_string($_POST) work?  Or ...?

Thanks!
LVL 2
erzoolanderAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Julian HansenCommented:
mysql_escape_string - assume you mean mysql_real_escape_string - if so that function (along with the rest of the mysql library is deprecated) - if you have not moved over to mysqli / PDO you should consider doing that first.

The mysqli equivalent is http://php.net/manual/en/mysqli.real-escape-string.php

You also want to look at filter_input_array
http://php.net/manual/en/function.filter-input-array.php

In conjunction with
http://php.net/manual/en/book.filter.php
http://php.net/manual/en/filter.filters.sanitize.php

Personally I ensure at DB write time that data is clean by running real_escape_string on the data as I added it to the query.
0
Ray PaseurCommented:
What's going on with MySQL and how to upgrade:
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/PHP_Databases/A_11177-PHP-MySQL-Deprecated-as-of-PHP-5-5-0.html

You can copy the POST array into the session variable with something like this:
$_SESSION['post'] = $_POST;

Open in new window

Then when you want to use the POST variables from the session, you can either address them directly in the session, or copy the variables into a new array with something like this:
$oldPOST = $_SESSION['post'];

Open in new window


PHP sessions are relatively easy to get right.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_11909-PHP-Sessions-Simpler-Than-You-May-Think.html

You must sanitize all external input.  This means filtering as well as escaping the data.  For example, if you expect an integer, test to see that the value is an integer.  If it's not an expected value, ignore the entire request.  The security mantra is "Accept Only Known Good Values."
0
gr8gonzoConsultantCommented:
> What is the best way to approach escaping the individual keys in the $_POST without doing them one by one?

It is better not to escape the values when you put them into $_SESSION, but rather at the time that you USE the values in your queries.

If you try to escape them when you put them into $_SESSION, you will start to think that $_SESSION values are "safe" and can be used in queries without any further escaping. This type of thinking will lead to security problems because at some point, someone may be able to find a hole in one of your scripts/webpages that allows them to put unescaped values into SESSION variables, and all of your queries will instantly be vulnerable.

So it's much better security practice to escape values as they are used in your queries.

If you want to be fancy about it, you could always create a PHP class that has its own array of data and it always escapes everything that you store into it, and then you only pull data out of this class object.
0
Ray PaseurCommented:
Security, including using external variables in PHP...  It's a lot to take in, but it's required reading for anyone developing PHP scripts.
http://php.net/manual/en/security.php
0
F PCommented:
Store the values in a serialized array in the database for better persistence and such.

Some people will tell you to use strip_tags(), but for the absolute best way to do it the fastest way possible I would use the $mysql_conn->real_excape_string() function and cast your integer variables with (int) $var -- don't use intval() -- and all that said,

LEARN PDO or PREPARE YOUR STATEMENTS

and you'll never have any problems with your code. PDO is slower than the MySQLi extension, but it's universal and the speed loss is negligible for its return to your peace of mind.

http://php.net/manual/en/pdo.prepare.php

<?php
/* Execute a prepared statement by passing an array of values */
$sql = 'SELECT name, colour, calories
    FROM fruit
    WHERE calories < :calories AND colour = :colour';
$sth = $dbh->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
$sth->execute(array(':calories' => 150, ':colour' => 'red'));
$red = $sth->fetchAll();
$sth->execute(array(':calories' => 175, ':colour' => 'yellow'));
$yellow = $sth->fetchAll();
?>

Open in new window


<?php
/* Execute a prepared statement by passing an array of values */
$sth = $dbh->prepare('SELECT name, colour, calories
    FROM fruit
    WHERE calories < ? AND colour = ?');
$sth->execute(array(150, 'red'));
$red = $sth->fetchAll();
$sth->execute(array(175, 'yellow'));
$yellow = $sth->fetchAll();
?>

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.