0

I am using $_GET, $_POST and $_COOKIE variables in method calls, SQL queries and file calls - and it is necessary to escape / rewrite this user-data for better security (avoid injection attacks and the like). How would you recommend this is done?

Some ideas from built-in escape function ... to get the juices flowing:

  • Add backslashes to: \x00, \n, \r, \, ', " and \x1a to make the string safe for SQL queries - as in mysql_real_escape_string().
  • Limit the number of accepted characters to [a-zA-Z0-9 _-\.] (where "\." is an escaped "."-dot).

Your inputs are appreciated. Thanks.

Improve this question

3 Answers 3

Reset to default
1

As escaping depends on the system you are sending the data too, my suggestion would be to use the functions provided by PHP, specifically created for each system.

For instance :

Either way : don't re-invent the wheel !

There are escaping functions/methods that already exists for many kind of output : use those !

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

make sure you connect to mysql before usint the mysql_* functions above, if you are using mysql that is..
Don’t put a space before colons, question marks and exclamation marks. That looks awful!
@Gumbo: sorry about that; I usually type in french, and, in french, we put a space before those... And I don't have the reflex to remove those spaces when typing in english...
0

Also note that somethings you must escape (if user entered) are image locations etc

If someone hot linked to an image (for example an avatar) with this

http://yoursite.com/admin/user/delete/1

and then the code in your view is

<img class="avatar" alt="<?php echo $userName; ?>" src="<?php $avatarUrl; ?>" />

Then you might be accidentally deleting a user if you are logged in as admin. Of course, hopefully that sort of deletion is done with a post, but it can still be circumvented.

In this case, htmlspecialchars() won't help.

You can make it harder for an attacker by enforcing all data changing methods to be with a post, and you can make it almost impossible by generating a token for every delete action, and verifying it before deleting.

Improve this answer

Comments

0

I'm using like this:

function escape($sql) {
    // Stripslashes
    if (get_magic_quotes_gpc()) {
        $sql = stripslashes($sql);
    }
    //if this is the intedger
    if (!is_int($sql) || $sql == '0') {
        $sql = "'" . mysql_real_escape_string($sql) . "'";
    }
    return $sql;
}

And in MySQL query

mysql_query("SELECT SQL_CACHE * FROM `page` WHERE `id` = ".escape($_GET['id'])." LIMIT 1");
Improve this answer

1 Comment

This function will only work for SQL queries - not for method and file calls - also, it is MySQL-specific. It must be possible to make a more generic Escape function.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.