0

I am reading about FILTER_SANITIZE_STRING being deprecated so I am looking for the best option to filter inputs for security reasons to prevent mysql injections and xss injections too.

My users will only send plain text on my website so I don't need to store any symbols or html at all.

Here is how I am taking care of the security until now:

$mail->Subject=filter_input(INPUT_POST,'message',FILTER_SANITIZE_STRING);

but it is now deprecated.

I see a lot of opinions and ways to secure the site against injections. I already use prepared statements with bind params/execute but I want to feel safe with the user inputs.

My question is:

Is it ok to filter using both filter_input together with htmlspecialchars like this?

$mail->Subject=filter_input(INPUT_POST,'subject',htmlspecialchars);

Or what would you recommend ?

Improve this question
1
  • However, if you want to refresh your knowledge about website vulnerabilities then hacksplaining is a good website. One tip: Never rely on advice given on Stack Overflow... 🙂 Commented May 29, 2024 at 15:00

1 Answer 1

Reset to default
1

You can't filter input to protect against SQL injection or XSS vulnerabilities. It's just not possible because these vulnerabilities are because of programmer error not because of the data inputted into the program.

SQL injection happens when a programmer naively builds SQL string using PHP variables. Use parameterized prepared statements and whitelisting when building a dynamic SQL.

XSS happens when a programmer naively puts injects data in HTML without formatting it properly first. To protect against it use htmlspecialchars every time you put a variable in HTML.

FILTER_SANITIZE_SPECIAL_CHARS is the htmlspecialchars() counterpart but obviously you should not use it with filter_input as that would only damage your input data without providing sufficient XSS protection. Use htmlspecialchars() only when outputting information in HTML.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.