Validating user input (search filters)

Question

Hello,

I'm building a search page and I'm a bit unsure on what I should in regard to sanitizing and validating user input.

The search page has filters which are passed via querystrings. (some passed from inputs and others from links with checkbox/radio like behavior)

What should I look out for in this situation? Can I be safe using just preg_replace (strip all but) and escaping?

Also - do I need to do anything to the querystrings (with the user input) before putting them in links? Should I add another query to retrieve possible values, loop through the results and exclude those user inputs that aren't found? (preventing the links from appending a bogus filter option the user might have put in. Although wouldn't that just affect the user with the altered url?)

I don't know if it matters but some filters passed in the querystrings are arrays.

What do you think? I'm quite new to this and I appreciate the help. Thanks!

Answer 1

It's not clear from your question what you are trying to protect, but the usual issue with sanitizing input is the database.

In that case, the most important thing is: use parameterized queries. This solves most of your problems immediately. Here's a good answer.

No amount of escaping is better than that.

As for sanitizing the querystring itself, ask yourself: if an attacker constructed a URL by hand, could something bad happen? Or would they just get an error page?

Answer 2

PHP comes with functions specifically for sanitizing strings for use in a MySQL query.

If you are using the (old-fashioned) PHP function mysql_query() to issue your queries to the database, have a look at the PHP function mysql_real_escape_string.

$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
        mysql_real_escape_string($user),
        mysql_real_escape_string($password));