tags:

views:

1462

answers:

3
+7  Q: 

Best way to defend against mysql injection and cross site scripting

At the moment, I apply a 'throw everything at the wall and see what sticks' method of stopping the aforementioned issues. Below is the function I have cobbled together:

function madSafety($string)
{

$string = mysql_real_escape_string($string);
$string = stripslashes($string);
$string = strip_tags($string);
return $string;

}

However, I am convinced that there is a better way to do this. I am using FILTER_ SANITIZE_STRING and this doesn't appear to to totally secure.

I guess I am asking, which methods do you guys employ and how successful are they? Thanks

+2  A: 

Don’t! Using mysql_real_escape_string is enough to protect you against SQL injection and the stropslashes you are doing after makes you vulnerable to SQL injection. If you really want it, put it before as in:

function madSafety($string)
{
    $string = stripslashes($string);
    $string = strip_tags($string);
    $string = mysql_real_escape_string($string);
    return $string;
}

stripslashes is not really useful if you are doing mysql_real_escape_string.

strip_tags protects against HTML/XML injection, not SQL.

The important thing to note is that you should escape your strings differently depending on the imediate use you have for it.

When you are doing MYSQL requests use mysql_real_escape_string. When you are outputing web pages use htmlentities. To build web links use urlencode

As vartec noted, if you can use placeholders by all means do it.

kmkaplan  2009-02-20 10:16:23
Actually, mysql_real_escape_string is not entirely safe either. See http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html
Michael Borgwardt  2009-02-25 10:25:56
+5  A: 

The best way against SQL injection is to bind variables, rather then "injecting" them into string. http://www.php.net/manual/en/mysqli-stmt.bind-param.php

As for XSS, use strip_tags() with a list of allowed tags.

vartec  2009-02-20 10:21:00
Be carefully with allowable tags - pretty well any tag can have JS embedded into it.
Dominic Rodger  2009-02-20 10:23:16
Also - see http://isisblogs.poly.edu/2008/08/16/php-strip_tags-not-a-complete-protection-against-xss/
Dominic Rodger  2009-02-20 10:27:50
strip_tags is flawed .. escape strings, or if you really need to allow html, use htmlpurifier
troelskn  2009-02-20 10:47:33
+11  A: 

Just doing a lot of stuff that you don't really understand, is not going to help you. You need to understand what injection attacks are and exactly how and where you should do what.

In bullet points:

  • Disable magic quotes. They are an inadequate solution, and they confuse matters.
  • Never embed strings directly in SQL. Use bound parameters, or escape (using mysql_real_escape_string).
  • Don't unescape (eg. stripslashes) when you retrieve data from the database.
  • When you embed strings in html (Eg. when you echo), you should default to escape the string (Using htmlspecialchars).
  • If you need to embed html-strings in html, you must consider the source of the string. If it's untrusted, you should pipe it through a filter. strip_tags is in theory what you should use, but it's flawed; Use HtmlPurifier instead.

See also: http://stackoverflow.com/questions/129677/whats-the-best-method-for-sanitizing-user-input-with-php

troelskn  2009-02-20 10:52:58
Excellent - this is significantly better than the response I was writing, now abandoned. +1
Dominic Rodger  2009-02-20 10:54:38

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases