PHP - is this function pair suitable sanitization?

Question

This was taken from O'Reilly's Learn PHP, MySQL, and Javascript:

function sanitizeString($var)
{
    $var = stripslashes($var);
    $var = htmlentities($var);
    $var = strip_tags($var);
    return $var;
}

function sanitizeMySQL($var)
{
    $var = sanitizeString($var);
    $var = mysql_real_escape_string($var);
    return $var;
}

Is this all one needs for handling POST and GET data? Given the source, I fear this has been dumbed down for beginners and I'm leaving myself vulnerable to attack later on.

Thank you.

Answer 1

Good start. Ideally, for things that are not freeform, you could use the input in a switch statement (or whatever) to lookup hardcoded values to go into the SQL. That helps prevent things the sanitizing missed.

Answer 2

There is no magic bullet function to make user input safe because it depends entirely on what you do with it. For example, if you have a textbox and use it with the above function it will clear this string:

javascript:someFunction()

which isn't a problem... unless you then use that user input in an onclick attribute of a link. Unlikely? Sure. But it's proof by counterexample.

You have to understand what you're using the user input for, what vulnerabilities it might introduce or exploit and then act appropriately.

mysql_real_escape_string() is sufficient to stop SQL injection so that's a no-brainer. To stop XSS is a lot more nebulous.

Answer 3

It's not possible to generally and indiscriminately "sanitize" incoming data. It always depends on what you want to do with it.

The sanitizeString() method is suitable to clean up content that you can't trust (e.g. from an unsecured form) that is to be displayed within the HTML output of your page. Nothing else. It will remove information such as tags, and it will modify special characters.

The sanitizeMySQL() method will do that, plus make it safe to use in a mySQL Query. Again, this is useful only if you want to strip down user input e.g. for a guest book or a shoutbox. If you had a CMS with authorized users, you would not want to do this.

Under no circumstances always apply this to all incoming variables. If you have an order form for example, that is forwarded to you through E-Mail, htmlspecialchars() would convert all special characters into entities - that are displayed literally (like ") in a text-only E-Mail. You wouldn't want to do that.

For a general overview on what sanitation to use where I think this is a good answer. Additionally, if you are going to send E-Mail based on incoming data, check out Mail injections.

Answer 4

Rather than using the old MySQL driver and mysql_real_escape_string, use a more modern driver that supports prepared statements (e.g. PDO).

htmlentities will convert '<' and '>' into their equivalent HTML character entities, so calling strip_tags after htmlentities will have no affect.

stripslashes should only be called if magic quotes are enabled (use get_magic_quotes_gpc and get_magic_quotes_runtime to test for this).