Securing User Input

Question

I am working on a website and I am using mysqli to connect to the database. But I don't know what to use to escape html input for a user in a form. I have heard strip_tags, htmlspecialchars, and many others. What should I use? I want to secure my database from peekers but I also want to secure the users data. I have md5ed the password.

Answer 1

When getting data from the user you should always consider using the filter extension. It has lots of sanitization and validation filters that you can use.

For example, if you are handling a form with the fields name, age, email and pass then you can filter them using filters that make sense:

// This filter strips tags from the input
$name = filter_input(INPUT_POST, 'name', FILTER_SANITIZE_STRING);

// This filter strips anything that is not a numeral (a whole number)
$age = filter_input(INPUT_POST, 'age', FILTER_SANITIZE_NUMBER_INT);

// This filter strips characters that are illegal in email addresses
$email = filter_input(INPUT_POST, 'email', FILTER_SANITIZE_EMAIL);

// This filter does not do anything to the input
$pass = filter_input(INPUT_POST, 'pass', FILTER_UNSAFE_RAW);

Use the built-in password hashing API to hash passwords:

$password = filter_input(INPUT_POST, 'password', FILTER_UNSAFE_RAW);
$hashed   = password_hash($password, PASSWORD_BCRYPT);

...and to verify passwords:

$password = filter_input(INPUT_POST, 'password', FILTER_UNSAFE_RAW);
$hashed   = '[HASHED PASSWORD FROM DATABASE]';

if (password_verify($password, $hash)) {
    echo 'Valid password!';
} else {
    echo 'Invalid password!';
}

If you have an older version of PHP then this API may not be available to you. In that case you should consider upgrading PHP to the newest stable release. Newer versions of PHP are safer than older versions, so... upgrade! Always upgrade when you can.

If upgrading is not possible then you can use this compatibility library.

As for the database use the MySQLi API, specifically its prepared statements:

$username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING);
$password = filter_input(INPUT_POST, 'password', FILTER_UNSAFE_RAW);
$hashed   = password_hash($password, PASSWORD_BCRYPT);

// Create a database connection
$db = new MySQLi('localhost', 'username', 'password', 'database');

// Prepare an SQL query with placeholders
$stmt = $db->prepare('INSERT INTO `users` (`name`, `hash`) VALUES (?, ?)');

// Always expect errors and do something about them!
if ($stmt === false) {
    die('Prepare error: ' . $db->error);
}
// Bind the username and password to the prepared statement
$stmt->bind_param('ss', $username, $hashed);

// Execute and do something...
if ($stmt->execute()) {
    echo 'Saved successfully!';
} else {
    echo 'Error: ', $stmt->error;
}

Answer 2

I'm not really sure if you have a login form only or if you have a registration form too. If you have a registration form that submit data to the database, then you should try to read about sanitizing. This practice will already help you a lot for XSS injection in your database. One thing to note, don't put to much effort on sanitizing Password field since you don't want to mess up the user password.

As others already said, MD5 and SHA1 are pointless now, they are security holes. If you are using Php 5.5 then you should use the methods @Mark Baker wrote in his comment: password_hash()/password_verify().

I would recommend using something like blowfish to be honest it's robust.

Here is a little snippet for you if you want to create a salt :

public static function createSalt($aLength = 16, $aCost = 10){
    $salt = strtr(base64_encode(mcrypt_create_iv($aLength)), '+', '.');
    $salt = sprintf("$2y$%02d$", $aCost) . $salt;
    return $salt;
}

And how I create password

public static function createPassword($aPassword, $aSalt) {
    return crypt($aPassword, $aSalt);
}

Then you would be able to create a password base on the user input + salt.

P.S It's always a good idea to escape values you are inserting in a database.

Answer 3

To prevent SQL injections and make escaping input easy, use prepared statements.

Dealing with HTML input depends on what is allowed and whether or not you want certain inputs to accept HTML or not.

If you don't want HTML for an input, you can optionally use strip_tags to completely remove the HTML from the input and then validate it further.

When you want to display a value from the database that came from user input, use htmlspecialchars or htmlentities so that any HTML tags will be converted from < to < so the output isn't parsed as HTML therefore allowing people to put malicious links or script tags on your pages.