ansaurus

Question

filtering form inputs

Answer 1

A:

To test the effectiveness, try attacking your own site with SQL injection attacks. Basically, try passing strings like ' || 1=1 and see if you get an error. If you get an error, or if you get an unexpected result, your site is open to attacks. Otherwise, it is probably working; but to be sure, make sure you do lots of testing.

SimpleCoder 2010-09-25 15:59:07

Thanks for the suggestion, I tried `'` and I `get '` in my email. So I guess it's effective :)

Virgdia 2010-09-25 16:11:56

SimpleCoder 2010-09-25 16:15:02

They're all being filtered :) FILTER_SANITIZE_SPECIAL_CHARS seems to be good :)

Virgdia 2010-09-25 16:22:58

Answer 2

A:

The better option is to use the mysqli extensions and prepared statements. However, there does exist the mysql_real_escape_string() function which specifically "escapes special characters in a string for use in an SQL statement".

jay.lee 2010-09-25 16:07:31

I see but I'm not sending data to the database but emails

Virgdia 2010-09-25 16:19:41

Answer 3

A:

What should it do if you aren't open to attacks?

Liam Bailey 2010-09-25 16:09:30

You mean the filter code? It prevents SQL attacks.

Virgdia 2010-09-25 16:12:48

Answer 4

+1 A:

Firstly let me tell you that about 85% of protection methods are done with 2 functions.

Firstly if someone sends some data to your site such as $_POST['name'], and you wish to use this value back on html side such as <p>The following string: {$_POST['name']} is invalid</p> then you should ALWAYS make sure that that value has been through htmlspecialchars, this will protect most of XSS Attempts

Next is injection, if the value of $_POST['name'] is going into your database just make sure that you use mysql_real_escape_string on that value.

that will give you 100% protection from sql injection, but all that means is your db cannot run commands from the user, that dont mean that the text is what it should be.

The functions that you should always use before inserting data into your database are

empty() or isset()
trim()
strlen()
preg_match()
filter_var and filter_input

This is called Validation and is only needed for yout to make sure the data the user is submitting is what you want such as filter_var would be used to validate that the email they entered is an email and not just some blah blah

What i usually tent do do is to run a clean function to make sure that all imputed data is clean with htmlspecialchars

example:

function clean($array)
{
    foreach($array as $key => $val)
    {
        if(is_array($val))
        {
            $array[$key] = clean($val); //Recursive 
        }else
        {
            $array[$key] = htmlspecialchars($val, ENT_QUOTES);
        }
    }
    return $array;
}

Then do the following to make sure that your safe from XSS:

$_GET = clean($_GET);
$_POST = clean($_POST);

So if someone tried to submit <a href='test'>Test</a> then the value would be converted to <a href='test'>Test</a&gt

RobertPitt 2010-09-25 16:24:44

Excellent explanation! Thank you for the function as well :) Would you think that `FILTER_SANITIZE_SPECIAL_CHARS` is a better alternative to the function or will have the same result?

Virgdia 2010-09-25 17:47:35

No, though **FSSC** is very good, I can vouch for the two other functions as the most effective within PHP.

RobertPitt 2010-09-26 11:57:13

ansaurus

tags:

views:

answers:

filtering form inputs

related questions