Sanitizing your database Inputs

By on April 4, 2010
images

Today i was looking at the code of my fellow team members and was shocked, none of them have sanitized data before making it to database. I thought of putting this article before you so that it would be helpful for those who are not aware of such practice. Santizing means you are inspecting your data that it does not contain any malicious code, such as javascript. Also is to make sure when you are data is inserting or getting updated, it doesn’t break the SQL and do some nasty things. Pref i would be say… lets be aware of SQL injection attack.

When your form is submitted, then it gets stored in $_GET or $_POST global array, with this information in the hand we can perform a lot of things.

Strip_tags()

<?php
$input = ‘<p>My name is Vinothbabu.</p><!– Comment –> <a href=”http://www.vinothbabu.com”>My Blog</a>’;
echo strip_tags($input);
echo strip_tags($input, ‘<p><a>’);
?>

The output of the following code will be …

My name is Vinothbabu. My Blog
<p>My name is Vinothbabu</p> <a href=”http://www.vinothbabu.com”>My Blog</a>

The second line, you have additional parameter called allowable_tags, which will allow those tags specified.

Some times back when i was coding for my application for a client, i came across this situation where i have to strip put javascript , style , html tags and multi-line comments. There are many ways, to go a head for this approach…

<?
function stripTags($variable){
$searchForm = array(‘@<script[^>]*?>.*?</script>@si’,
‘@<style[^>]*?>.*?</style>@siU’,
‘@<[\/\!]*?[^<>]*?>@si’,
‘@<![\s\S]*?–[ \t\n\r]*>@’
);
$output = preg_replace($searchForm, ”, $variable);
return $output;
}
?>

Let me explain the above code in depth, such that no voice programmers may find useful. The first line is where you define your function and followed by array. The array contains list of regular expressions, what does these do? I will go in sequential way.

1. It blocks out the Javascript.
2. The style codes are blocked.
3. Stripping out the HTML tags.
4. Stripping out multiline comments, including CDATA.

The you come up with preg_replace, which performs a regular expression search and replace and you get the outout finally.

Finally, the real coding mela. Now let me write a code which you can use it various places, checking many stuffs. I think RajiniKanth movie also goes in such a way, the climax always better and better with rocking style. Here i go with another mottai boss style.

<?
function sanitizing($theInput){
if(is_array($theInput){
foreach($theInput as $variable=>$value) {
$output[$variable]=santizing($value);
}
}
else{
if(get_magic_quotes_gpc()){
$theInput = stripslashes($theInput);
}
$theInput = stripTags($theInput);
$output = mysql_real_escape_string($theInput);
}
return $output;
}
?>

Now from here, lets take an example on how to use the above function in our code.

<?
$string = “Howdy Vinothbabu <script src=’filename.js’></script> It’s so cool!”;

$_POST = sanitizing($_POST);
$_GET = sanitizing($_GET);
$output = sanitizing($string);
?>

The above code will return Howdy Vinothbabu It\’s so cool! Now lets take a break, by having a cigar and tea and jump into the part how the code works and what are the above methods. Let me explain you in my BOSS [ Superstar RajiniKanth] Style.

The first thing we are doing is adding a backslash before any of the following: ‘ (single-quote), “ (double quote), \ (backslash) and NULL characters.The get_magic_quotes_gpc returns 0[Off] or 1[On], depending upon your php.ini. If its turned ON, then strip all the blackslash… the single \ will be removed and \\ will be converted into one.

Normally, we have to take care using stripslashes, if the text we insert into our db contains \n, then you will encounter it as n instead of \n. Now comes the next line, where we have called our successor function stripTags() which will strip out the Tags. The final one is mysql_real_escape_string(). I think some may be thinking, where did addslashes move away, i would stop here on going further with a debate on which is better, i prefer mysql_escape_string as it sounds good. Using mysql_real_escape_string() around each variable prevents SQL Injection.

Conclusion:

PHP is secure language, if the programmers do take care of such nitchy things while coding. I have always felt the heat when someone says PHP is not secure, its all left in the hand of developers while coding. I hope you people enjoy reading my article.

About Sachin

One Comment

  1. Hylix

    December 31, 2011 at 1:22 pm


    So if I am reading this correctly if you only use mysql_real_escape_string() you are save against SQL Injection?

    Then why do I see a lot people using a function to manualy strip the tags/slashes etc. etc.?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>