How to santize user inputs in PHP?

Question

Is this enough?

$listing = mysql_real_escape_string(htmlspecialchars($_POST['listing']));

Answer 1

Yes. However, you shouldn't use htmlspecialchars on input. Only on output, when you print it.

This is because, it's not certain that the output will always be through html. It could be through a terminal, so it could confuse users if weird codes suddenly show up.

Answer 2

What if your listing variable is an array ?

You should sanitize this variable recursively.

Edit:

Actually, with this technique you can avoid SQL injections but you can't avoid XSS.

In order to sanitize "unreliable" string, i usually combine strip_tags and html_entity_decode. This way, i avoid all code injection, even if characters are encoded in a Ł way.

$cleaned_string = strip_tags( html_entity_decode( $var, ENT_QUOTES, 'UTF-8' ) );

Then, you have to build a recursive function which call the previous functions and walks through multi-dimensional arrays.

In the end, when you want to use a variable into an SQL statement, you can use the DBMS-specific (or PDO's) escaping function.

$var_used_with_mysql = mysql_real_escape_string( $cleaned_string );

Answer 3

Depends - if you are expecting text, it's just fine, although you shouldn't put the htmlspecialchars in input. Do it in output.

You might want to read this: http://stackoverflow.com/questions/129677/whats-the-best-method-for-sanitizing-user-input-with-php

Answer 4

See:

• Best way to stop SQL Injection in PHP
• What are the best practices for avoid xss attacks in a PHP site

And sanitise data immediately before it is used in the context it needs to be made safe for. (e.g. don't run htmlspecialchars until you are about to output HTML, you might need the unedited data before then (such as if you ever decide to send content from the database by email)).

Answer 5

It depends on what you want to achieve. Your version prevents (probably) all SQL injections and strips out HTML (more exactly: Prevents it from being interpreted when sent to the browser). You could (and probably should) apply the htmlspecialchars() on output, not input. Maybe some time in the future you want to allow simple things like <b>.

But there's more to sanitizing, e.g. if you expect an Email Address you could verify that it's indeed an email address.

Answer 6

As has been said don't use htmlspecialchars on input only output. Another thing to take into consideration is ensuring the input is as expected. For instance if you're expecting a number use is_numeric() or if you're expecting a string to only be of a certain size or at least a certain size check for this. This way you can then alert users to any errors they have made in their input.

Answer 7

you can use php function : filter_var()

a good tutorial in the link :

http://www.phpro.org/tutorials/Filtering-Data-with-PHP.html

example to sanitize integer :

To sanitize an Integer is simple with the FILTER_SANITIZE_INT filter. This filter strips out all characters except for digits and . + - It is simple to use and we no longer need to boggle our minds with regular expressions.

<?php

/*** an interger ***/
$int = "abc40def+;2";

/*** sanitize the integer ***/
echo filter_var($int, FILTER_SANITIZE_NUMBER_INT);

?>

The above code produces an output of 40+2 as the none INT values, as specified by the filter, have been removed

Answer 8

In addition to sanitizing the data you should also validate it. Like checking for numbers after you ask for an age. Or making sure that a email address is valid. Besides for the security benefit you can also notify your users about problems with their input.

I would assume it is almost impossible to make an SQL injection if the input is definitely a number or definitely an email address so there is an added level of safety.