Securing user-data - for use in method calls, SQL and file calls

Question

I am using $_GET, $_POST and $_COOKIE variables in method calls, SQL queries and file calls - and it is necessary to escape / rewrite this user-data for better security (avoid injection attacks and the like). How would you recommend this is done?

Some ideas from built-in escape function ... to get the juices flowing:

• Add backslashes to: \x00, \n, \r, \, ', " and \x1a to make the string safe for SQL queries - as in mysql_real_escape_string().
• Limit the number of accepted characters to [a-zA-Z0-9 _-\.] (where "\." is an escaped "."-dot).

Your inputs are appreciated. Thanks.

Answer 1

As escaping depends on the system you are sending the data too, my suggestion would be to use the functions provided by PHP, specifically created for each system.

For instance :

• for MySQL queries, use mysql_real_escape_string, or mysqli_real_escape_string, or PDO::quote
  • Or use prepared statements (mysqli, PDO)
  • Don't add backslashes yourself : why do that when proper and well-working (and well-tested !) escaping functions already exist ?
• for HTML output, use htmlspecialchars or htmlentities.

Either way : don't re-invent the wheel !

There are escaping functions/methods that already exists for many kind of output : use those !

Answer 2

Also note that somethings you must escape (if user entered) are image locations etc

If someone hot linked to an image (for example an avatar) with this

http://yoursite.com/admin/user/delete/1

and then the code in your view is

<img class="avatar" alt="<?php echo $userName; ?>" src="<?php $avatarUrl; ?>" />

Then you might be accidentally deleting a user if you are logged in as admin. Of course, hopefully that sort of deletion is done with a post, but it can still be circumvented.

In this case, htmlspecialchars() won't help.

You can make it harder for an attacker by enforcing all data changing methods to be with a post, and you can make it almost impossible by generating a token for every delete action, and verifying it before deleting.

Answer 3

I'm using like this:

function escape($sql) {
    // Stripslashes
    if (get_magic_quotes_gpc()) {
     $sql = stripslashes($sql);
    }
    //if this is the intedger
    if (!is_int($sql) || $sql == '0') {
     $sql = "'" . mysql_real_escape_string($sql) . "'";
    }
    return $sql;
}

And in MySQL query

mysql_query("SELECT SQL_CACHE * FROM `page` WHERE `id` = ".escape($_GET['id'])." LIMIT 1");