Reputation: 3558
Is FILTER_SANITIZE_STRING enough to avoid SQL injection and XSS attacks?
I'm using PHP 5 with SQLite 3 class and I'm wondering if using PHP built-in data filtering function with the flag FILTER_SANITIZE_STRING is enough to stop SQL injection and XSS attacks.
I know I can go grab a large ugly PHP class to filter everything but I like to keep my code as clean and as short as possible.
Please advise.
Upvotes: 5
Views: 9778
Answers (6)
Reputation: 392
FILTER_SANITIZE_STRING will remove HTML tags not special characters like &. If you want to convert a special character to entity code prevent malicious users to do anything.
filter_input(INPUT_GET, 'input_name', FILTER_SANITIZE_SPECIAL_CHARS);
OR
filter_input($var_name, FILTER_SANITIZE_SPECIAL_CHARS);
If you want to encode everything it's worth using for
FILTER_SANITIZE_ENCODED
For more info: https://www.php.net/manual/en/function.filter-var.php
Upvotes: 1
Reputation: 1372
If you are just trying to build a simple form and dont want to introduce any heavy or even light frameworks, then go with php filters + and use PDO for the database. This should protect you from everything but cross site request forgeries.
Upvotes: 0
Reputation: 1735
It's never wise to use the same sanitization function for both XSS and SQLI. For XSS you can use htmlentities to filter user input before output to HTML. For SQLI on SQLite you can either use prepared statements (which is better) or use escapeString to filter user input before constructing SQL queries with them.
Upvotes: 2
Reputation: 51950
The SQLite3 class allows you to prepare statements and bind values to them. That would be the correct tool for your database queries.
As for XSS, well that is entirely unrelated to your use of SQLite.
Upvotes: 2
Reputation: 11136
If you don't trust your own understanding of the security issues enough to need to ask this question, how can you trust someone here to give you a good answer?
If you go down the path of stripping out unwanted characters sooner or later you're going to be stripping out characters that users want to type. It's better to encode for the specific context that the data is used.
Check out OWASP ESAPI, it contains plenty of encoding functions. If you don't want to pull in that big of a library, check out what the functions do and copy the relevant parts to your codebase.
Upvotes: -2
Reputation: 350
I think its good enough to secure your string data inputs, but there are many other options available which you can choose. e.g. other libraries would increase your application process time but will help you to process/parse other types of data.
Upvotes: -1
Related Questions
- PHP: filter_var sanitization secure enough?
- A better SQL string sanitization function
- Does eliminating dangerous characters avoid SQL-injection?
- Does sanitizing data eliminate the possibility of SQL injection?
- Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
- Is FILTER_SANITIZE_EMAIL enough or is mysql_real_escape_string also needed to avoid security issues in PHP/MySQL?
- How to cleanse a string to avoid SQL Injection and the most common types of attack? (in PHP)
- Would this sanitize function save from most of attacks?
- How to sanitize data in php in order to avoid SQL injection?
- Are these two functions overkill for sanitization?