All geek questions in one place

When sanitizing PHP variables, am I abusing it?

I have been working with PHP for some time, and I started asking myself if I am developing good habits.

One of them is what I believe is that you use PHP disinfection methods, for example, one user logs in through a form, and I get the following post variables:

$_POST['name'] , $_POST['email'] and $_POST['captcha'] . Now what I usually do, obviously, sanitizes the data that I am going to place in MySQL, but by comparing the captcha, I also sanitize it.

Therefore, I believe that I misunderstood PHP disinfecting, I am curious if there are other cases when you need to sanitize data, except when you use it to host something in MySQL (note that I know that for XSS attack prevention also requires disinfection). And besides, is my bad habit of sanitizing almost every variable coming from user input?

+6
source share
2 answers

Whenever you store your data somewhere, and if this data is read / available to users (unsuspecting), then you must sanitize it. Therefore, you should take care of what can change the user interface (not only the database). As a rule, all user data is considered unsafe, but in the next paragraph you will see that some things can still be ignored, although I do not recommend it at all.

Things that happen only on the client are disinfected only for a better UX (user experience, consider checking the JS form), from the point of view of security it is useless because it is easy to avoid, but it helps non-malicious users to have better interaction with the website) but in principle, it cannot do much harm, since data (good or bad) is lost as soon as the session closes. You can always destroy a web page for yourself (on your computer), but the problem is that someone can do this for others.

To answer your question more directly - never worry about overdoing it. It is always better to be safe than sorry, and the cost usually does not exceed a few milliseconds.

+3
source

The term you need to find is FIEO. Filter In, Escape Out.

You can easily embarrass yourself if you do not understand this basic principle.

Imagine that PHP is the man in the middle, he gets his left hand and ends on the right.

The user uses your form and fills out the date form, so he should only accept numbers and possibly a dash. e.g. NNNNN-nn-nn. if you get something that doesn't match this, then reject it.

This is an example of filtering.

The following PHP, something with it, allows you to store it in a Mysql database.

What Mysql needs is to be protected from SQL injection, so you use prepared PDO or Mysqli statements to make sure that EVEN IF your filter fails, you cannot allow an attack on your database. This is an example of Escaping, in this case escaping for SQL storage.

Later, PHP gets the data from your db and displays it on the HTML page. Thus, you need to avoid the data for the next medium, HTML (here you can allow XSS attacks).

In your head, you have to separate each of the "protective" PHP functions into one or more of these two families: "Filtering" or "Escaping".

Freetext fields, of course, are more complicated than filtering for a date, but it doesn't matter, stick to the principles and you will be fine.

Hoping this helps http://phpsec.org/projects/guide/

+3
source

Source: https://habr.com/ru/post/977299/

More articles:


All Articles