PHP input security question

JonD

JonD

JonD

Associate
Joined
26 Jun 2003
Posts
1,140
Location
North West
Im running user input through the following function before its inputted into the database and then outputting it back into the textarea for editing:

Code: 
function formatStringInput($string)
{
	
	// Trim whitespace
	$string = trim($string);
	
	// Escape naughty characters
	$string = mysql_real_escape_string($string);
	
	// Return string
	return $string;

}

function formatStringOutputOntoForm($string)
{

	// Strip slashes
	$string = stripslashes($string);
	
	// Return string
	return $string;

}

However if I enter this onto the form:

Code: 
<?php echo $test; ?>

The input is accepted.

If this is outputted onto a webpage sumwhere, then nothing is printed. However it does print onto the source (view->source).

Is there any way I can stop someone trying to enter php code?

Or is there additional checks I need to make on the input?

Thx
jd
 
Last edited:
Don't use stripslashes() - use htmlentities() :)

You'll also want to convert new lines (\r\n or \n) to <br /> for display in a HTML page, and vice versa for showing in a textbox on a form :)

I used to have a link to a really, really, really good article on XSS which covered all this, but FF randomly lost them :(

You don't need to worry about PHP code, because that can't be executed like that - you only need to worry about SQL injection, and mysql_real_escape_string() has that covered. Also, mysql....string() needs a database connection so make sure you've opened one before calling it :)
 
Use htmlentities on input or output?

So which functions (and the right order) are needed on inputting stuff to a database, displaying it to edit and displaying it on a webpage?

yes i have a mysql connection open
 
Last edited:
Form input >>> mysql_real_escape_string() >>> database

Database >>> htmlentities(), str_replace() for \r\n to <br /> >>> output into form :)

You'll also need to do the htmlentities() str_replace() for outputting onto a page:)
 
Ok I trying to enter this string:

Hello "JonD". It's such a nice day today!

New line!

<?php echo $test; ?>
Click to expand...

This sumbits fine and is entered back onto the textarea as:

Hello \"JonD\". It\'s such a nice day today!<br />
<br />
New line!<br />
<br />
<?php echo $test; ?>
Click to expand...

In the database it is stored like this:

Hello \"JonD\". It\'s such a nice day today!

New line!

<?php echo $test; ?>
Click to expand...

This is not what I want. This edit form should not be showing any slashes and the <br /> should not be visable.

Here are the functions:

Code: 
function formatStringInput($string)
{	
	// Escape naughty characters
	$string = mysql_real_escape_string($string);
	
	// Return string
	return $string;
}

function formatStringOutputOntoForm($string)
{
	// Strip html type tags
	$string = htmlentities($string);
	
	// new line to breaks
	$string = nl2br($string);

	// Return string
	return $string;
}

Thx
jd
 
Last edited:
Oh, hangon - no need to do the nl2br() to output onto a form.

Also, the slashes are PHP's annoying magic_quotes.

Create a .htaccess file with 'php_flag magic_quotes_gpc off' and put that in the root of your domain (normally /public_html or /htdocs), or run everything through stripslashes() (as you initially had - but it's only needed if magic_quotes is enabled - which you can also check for...but imo it's easier to throw in a .htaccess) :)
 
Ok seems to be working fine.

So should the datebase be storing '<' as '<' or '&lt' etc?

if the latter then I need to run htmlentities on input too?
 
I guess you could run htmlentities() on input too, to ensure that Dodgy Stuff doesn't make it even to the database, so think of my strategy as a starting point to get you secure - feel free to add what you like for additional security :)
 
You must log in or register to reply here.
Back
Top Bottom