What kind of incoming data filtering do you perform?

M

Mikhail Pakhmutov2014-01-22 22:53:53

PHP

Mikhail Pakhmutov, 2014-01-22 22:53:53

I have been doing web development for many years and for login I allow only letters, numbers and spaces, and I don’t limit or filter the password.
What methods do you use to protect against SQL injections in:
login
password
article title (is it without html, strip_tags and addslashes enough?) article
content (only addslashes?)
for example)?
Thanks a lot.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

S

Sergey, 2014-01-22
Protko @Fesor

restricting users in what characters they want to use is stupid.
The problem of sql injections in the context of php is solved using pdo + prepared statements.
The XSS problem is solved by escaping (htmlentities). It's easier to use templating engines like twig, which by default will escape all output data.
In general, I think you should take some popular framework (doctrine2, silex, etc.) and not worry about most of these problems.

A

akashtrih, 2014-01-23
@akashtrih

When adding data to the database, to prevent SQL injection, we pass all data through mysql_real_escape_string :

function sanitize($string) {
    return "'" . mysql_real_escape_string($string) . "'";
}
$query = sql_sprintf(
     "SELECT * FROM users WHERE user=%s AND mail=%s", 
     sanitize($_POST['login']), 
     sanitize($_POST['mail'])
);

To prevent XSS, we use htmlentities() in attributes, and htmlspecialchars( ) elsewhere :
But, as @Fesor already said, you need to use PDO or DBAL to work with the database , but not the mysql_* functions, which are not recommended (there are even special red warning doodles on the documentation pages).
To check the loaded image, use the getimagesize() function .