Ultimate Clean / Safe Function

Question

Ultimate Clean / Safe Function

I have many user inputs from $_GET and $_POST ... At the moment, I always write mysql_real_escape_string($_GET['var']) ..

I would like to know if it is possible to make a function that provides, accelerates and clears $_GET / $_POST arrays right away, so you don’t have to deal with this every time you work with user inputs, etc.

I was thinking of a function like cleanMe($input) , and inside it it should have done mysql_real_escape_string , htmlspecialchars , strip_tags , stripslashes (I think that all this should have made it clean and safe), and then returned $input .

So is this possible? When creating a function that works for all $_GET and $_POST , you should only do this:

 $_GET = cleanMe($_GET); $_POST = cleanMe($_POST);

So, in your code later, when you work with, for example, $_GET['blabla'] or $_POST['haha'] , are they protected, separated, and so on?

I tried a little:

 function cleanMe($input) { $input = mysql_real_escape_string($input); $input = htmlspecialchars($input, ENT_IGNORE, 'utf-8'); $input = strip_tags($input); $input = stripslashes($input); return $input; }

+53

security php sql-injection xss

Karem Nov 19 '10 at 10:09

source share

7 answers

It makes no sense to just pass input through all these functions. All these functions have different meanings. Data does not get "cleaner" by calling extra escape functions.

If you want to save user input in MySQL, you only need to use mysql_real_escape_string . It is then fully shielded for secure storage in the database.

EDIT

Also pay attention to problems encountered when using other functions. If the client sends, for example, the username to the server, and the username contains an ampersand ( & ), you do not want it to call htmlentities before storing it in the database, because then the username in the database will contain & .

+7

Tomas Nov 19 '10 at 10:14

source share

You are looking for filter_input_array() . However, I suggest using this only for validation / sanitation of a business style, and not for filtering SQL input.

To protect against SQL injection, use parameterized queries with mysqli or PDO .

+6

Alan Pearce Nov 19 '10 at 10:21

source share

The problem is that something pure or safe for one use will not be for another: cleaning part of the path, part of the mysql query, to output html (like html, either in javascript or as input, the value), for xml it may take different things that contradict.

But, some global things can be done. Try using filter_input to get your user input. And use the prepared statements for your SQL queries.

Although, instead of the do-it-all function, you can create a class that controls your inputs. Something like that:

 class inputManager{ static function toHTML($field){ $data = filter_input(INPUT_GET, $field, FILTER_SANITIZE_SPECIAL_CHARS); return $data; } static function toSQL($field, $dbType = 'mysql'){ $data = filter_input(INPUT_GET, $field); if($dbType == 'mysql'){ return mysql_real_escape_string($data); } } }

With such things, if you see any $ _POST, $ GET, $ _REQUEST or $ _COOKIE in your code, you know that you need to change it. And if one day you have to change the way you filter the input, just change the class you made.

+3

Arkh Nov 19 '10 at 10:22

source share

May I suggest installing "mod_security" if you are using apache and have full access to the server?

This solved most of my problems. However, do not rely only on one or two solutions; always write protected code;)
UPDATE Found this PHP IDS (http://php-ids.org/); seems nice :)

+1

Filipe YaBa Polido Nov 19 '10 at 10:17

source share

 <?php function sanitizeString($var) { $var = stripslashes($var); $var = strip_tags($var); $var = htmlentities($var); return $var; } function sanitizeMySQL($connection, $var) { $var = $connection->real_escape_string($var); $var = sanitizeString($var); return $var; } ?>

0

vuchkov Jun 11 '17 at 19:01

source share

I used this array pass or get, post

 function cleanme(&$array) { if (isset($array)) { foreach ($array as $key => $value) { if (is_array($array[$key])) { secure_array($array[$key]); } else { $array[$key] = strip_tags(mysql_real_escape_string(trim($array[$key]))); } } } }

Using:

 cleanme($_GET); cleanme($_POST);

-one

user889030 Jan 31 '16 at 9:13

source share

Pekka 웃 · Accepted Answer · 2010-11-19 10:12

The idea of a general sanitation function is a disturbed concept.

For all purposes, there is one proper sanitation method. Running them all indiscriminately on a line often breaks it - escaping an HTML snippet for an SQL query will break it for use on a web page and vice versa. Sanitation should be applied right before using data:

before starting the database query. The correct sanitation method depends on the library used; they are listed in How can I prevent SQL injection in PHP?
htmlspecialchars() for safe HTML output
preg_quote() for use in regular expression
escapeshellarg() / escapeshellcmd() for use in an external command
etc .. and others.

Using the “one size fits all” sanitation function is like using five types of highly toxic insecticides on a plant, which by definition can contain only one kind of error - only to find out that your plants are infected with the sixth species, on which none of the insecticides works.

Always use this one correct method, ideally right before passing data to a function. Never mix methods unless you need to.

Ultimate Clean / Safe Function

More articles: