tags:

views:

231

answers:

3
+1  Q: 

If I only sanitize GET and POST data, will I be safe from injection?

I'm just thinking about the best way to go about sanitizing my data to prevent injection attacks. Some people like to sanitize immediately before output, or immediately before insertion to the database... but the problem I see with this is twofold: (1) what if you miss a paramater/variable? (2) what if you're over-sanitizing? Not that it would hurt the output, but there's not much sense sanitizing stuff you already know is safe.

For example, in PHP instead of using $_GET and $_POST couldn't I wrap those with something like:

function get($var) {
    return my_sanitizer($_GET[$var]);
}

Or would that not be enough? Where else could malicious code sneak in?

After reading the answers below I realize this question was a bit foolish. It depends on if you're inserting to the database, or outputting HTML. In that case, perhaps it is better to do just before usage. That's okay though, it's easy enough to wrap output methods too...

+1  A: 

Personally, I'd always sanitize right before you insert into your database; that said, if you have a SQL based database parameterized SQL and sprocs are the way to go to ensure you aren't injecting anything that will cause harm.

Nate Bross  2009-10-15 05:35:17
A: 

you can do a foreach for the $_POST or $_GET array and sanitize all

foreach($_POST as $key){

$_POST[$key] = addslashes($_POST[$key]) }

wnoveno  2009-10-15 05:37:06
Except this function is not recommended. You should use the database-specific function, like mysqli_real_escape_string(), or better stored procedures.
Matthew Flaschen  2009-10-15 05:40:47
Also sanitizing is not just for SQL, you need to have HTML and JS in mind if you output it on a page.
rslite  2009-10-15 05:53:44
+3  A: 

There's more than one kind of sanitization, and more than one kind of injection. For instance, you'll generally want to sanitize or escape HTML and JS sometime before output. But the appropriate choice (e.g., stripping out all HTML, allowing HTML in a whitelist, making the user enter something else, or just escaping it so it shows as text) depends on the application.

As far as database injection, I agree with Nate you should use prepared statements for this (sometimes these use escaping internally, but that's not your concern) instead.

In summary, a homemade catch-all my_sanitizer you run immediately upon getting any data is probably the wrong choice.

Matthew Flaschen  2009-10-15 05:38:45
Mark  2009-10-15 06:02:24

related questions

How to transition to Functional Programming
List of the top Programming "shows"
How to contribute code back to an Open Source project?
What is Test Driven Development (TDD)?
pass by reference or pass by value?
Could you recommend a good free project hosting website?
Writing A "Conway's Game of Life" Program
Learning to write a compiler
How can I modify .xfdl files? (Update #1)
Followup: "Sorting" colors by distinctiveness
Followup: Finding an accurate "distance" between colors
Windows Help files - what are the options?
A little diversion into floating point (im)precision, part 1
Internationalization in your projects
Efficiently get sorted sums of a sorted list
Format string to title case
GUI Programming APIs
Using combinations of sets as test data
What books would you recommend for a beginning Software Developer?
The Definitive Guide To Website Authentication
What is your solution to the FizzBuzz problem?
Generate list of all possible permutations of a string
When to use unsigned values over signed ones?
Function for creating color wheels
Fastest way to get value of pi