If you write a script in PHP, it's one thing handing benign user inputs, and quite another "bullet proofing" your script against awkward characters (of the "less than" and "double quote" type) entered into form fields where they can lead to problems of the SQL error, echo display corruption and injection attack style.
I use the following diagram on
PHP courses to remind trainees of the need to clean us EVERY user entry variable and to process EVERY string that's send out to a database or as part of the HTML response:
Remember that PHP was
designed to handle web page work, so this string cleansing can be done with built in functions -
there's a function to do that as we say during courses!
Just be aware ... that there are other issues as well as the ones shown in our diagram. If you're looking to write cast iron (squaddie proof) PHP, you'll need to use regular expressions to check that the inputs made of are of the format your program expects, you'll have to ensure that register globals is off or that every variable is initialised, and you'll need to check that users don't enter file names starting with "/" or "../".
(written 2006-02-03, updated 2006-06-11)
Commentator | says ... | john moylan: | Hello Graham.
Just a quick note regarding your diagram.
I thought that the preferred method of escaping prior to insertion into a database is to use database native functions.
e.g. mysql_real_escape_string or pg_escape_string (comment added 2006-02-04 01:53:15) |
Graham Ellis: | Yes, I would "go with" those alternatives sometimes, John.
I always worry about using database native functions in case someone wants to change the underlying database though. My own, somewhat longwinded in a short post, pedant preference is to write my own wrapper function, keep it in a required file of helpers, and use it excluselively. This allows for future changes, sitewide, with just a single source edit. (comment added 2006-02-04 05:12:27) |
john moylan: | Hello Graham.
>> I always worry about using database native functions in case someone wants to change the underlying database though.
Something you've taught me is to have a love of CPAN, this in turn has created a similar affection for PEAR.
The PEAR DB module is great for this (think Perl's DBI) and its 'quotesmart' method does just this regardless of which db you use. (or change too)
The strange thing now is when I read PHP books that have database code the code feels a little foreign as I never use the native mysql funtions anymore, in fact I never used them in anger at all in any production code.
It's been one of the most timesaving modules I've found as I can code in PEAR DB pretty much as I did in CPAN DBI
Also have a look at HTML_Quickform, I build all my forms with this now. (comment added 2006-02-05 11:43:23) |
Associated topics are indexed as below, or enter http://melksh.am/nnnn for individual articles
H110 - PHP - HTML Web Page Data Handling [50] Current cost in your local currency - (2004-09-16)
[789] Hot answers in PHP - (2006-07-02)
[896] PHP - good coding practise and sticky radio buttons - (2006-10-17)
[1001] .pdf files - upload via PHP, store in MySQL, retrieve - (2006-12-19)
[1053] Sorting people by name in PHP - (2007-01-26)
[1136] Buffering output - why it is done and issues raised in Tcl, Perl, Python and PHP - (2007-04-06)
[1169] Emailing as HTML (Web Page) - PHP example - (2007-04-30)
[1831] Text formating for HTML, with PHP - (2008-10-11)
[2025] Injection Attack if register_globals in on - PHP - (2009-02-04)
[2046] Finding variations on a surname - (2009-02-17)
[2107] How to tweet automatically from a blog - (2009-03-28)
[2135] What features does this visitors browser support? (PHP) - (2009-04-22)
[3036] Sending out an email containing HTML from within a PHP page - (2010-11-07)
[3926] Filtering PHP form inputs - three ways, but which should you use? - (2012-11-18)
H107 - String Handling in PHP [31] Here documents - (2004-08-28)
[54] PHP and natural sorting - (2004-09-19)
[337] the array returned by preg_match_all - (2005-06-06)
[422] PHP Magic Quotes - (2005-08-22)
[463] Splitting the difference - (2005-10-13)
[493] Running a Perl script within a PHP page - (2005-11-12)
[558] Converting between acres and hectares - (2006-01-08)
[560] The fencepost problem - (2006-01-10)
[574] PHP - dividing a string up into pieces - (2006-01-23)
[608] Don't expose your regular expressions - (2006-02-15)
[642] How similar are two words - (2006-03-11)
[716] Evaluating arithmetic expressions in configuration files - (2006-05-10)
[728] Looking ahead and behind in a Regular Expression - (2006-05-22)
[1008] Date conversion - PHP - (2006-12-26)
[1058] PHP Regular expression to extrtact link and text - (2007-01-31)
[1195] Regular Express Primer - (2007-05-20)
[1336] Ignore case in Regular Expression - (2007-09-08)
[1372] A taster PHP expression ... - (2007-09-30)
[1533] Short and sweet and sticky - PHP form input - (2008-02-06)
[1603] Do not SHOUT and do not whisper - (2008-04-06)
[1613] Regular expression for 6 digits OR 25 digits - (2008-04-16)
[1799] Regular Expressions in PHP - (2008-09-16)
[2165] Making Regular Expressions easy to read and maintain - (2009-05-10)
[2238] Handling nasty characters - Perl, PHP, Python, Tcl, Lua - (2009-06-14)
[2629] Curly braces within double quoted strings in PHP - (2010-02-09)
[3020] Handling (expanding) tabs in PHP - (2010-10-29)
[3424] Divide 10000 by 17. Do you get 588.235294117647, 588.24 or 588? - Ruby and PHP - (2011-09-08)
[3515] PHP - moving from ereg to preg for regular expressions - (2011-11-11)
[3516] Regular Expression modifiers in PHP - summary table - (2011-11-12)
[3534] Learning to program in PHP - Regular Expression and Associative Array examples - (2011-12-01)
[3788] Getting more than a yes / no answer from a regular expression pattern match - (2012-06-30)
[3789] More than just matching with a regular expression in PHP - (2012-06-30)
[3790] Solution looking for a problem? Lookahead and Lookbehind - (2012-06-30)
[4071] Setting up strings in PHP - (2013-04-27)
[4072] Splitting the difference with PHP - (2013-04-27)
Some other Articles
Finding where the disc space has goneNOT Gone phishingKey facts - SQL and MySQLDanny and Donna are getting marriedRobust PHP user inputsChanging @INC - where Perl loads its modulesJob vacancy - double agent wantedPerl Regular Expressions - finding the position and length of the matchLooking for Python staffLoosing breath with Gerald