Reputation: 4688
Text input sanitation and security
I am trying to make sure all my inputs are secure, protecting the server and XSS attacks. Is validating input with strip_tags and htmlentities a fool proof system? I have been told it was and would like to confirm. ie for example:
$re = htmlentities(strip_tags($_GET['re']), ENT_COMPAT, "UTF-8");
this should prevent any linux commands and any html links correct? are there any vulnerabilities that havent been considered with this?
Upvotes: 2
Views: 3197
Answers (3)
Reputation: 392
this is how I filter my inputs before I'll insert it into my database
<?php
function sanitize($data){
$result = trim($data);
$result = htmlspecialchars($data);
$result = mysql_real_escape_string($data);
return $result;
}
?>
Upvotes: -1
Reputation: 239220
This is not at all what htmlentities is for. Use htmlentites to encode your output before it is sent to the browser. It has nothing to do with sanitizing input. The only thing you need to worry about when processing input is properly escaping data being interpolated into SQL queries to prevent SQL injection. See PHP Data Objects for more on that.
strip_tags is debatably useful here, but you don't need to use both strip_tags and htmlentities. The whole purpose of htmlentites is that it prevents the tags from being interpreted. The only correct way to think about this is: Preserve the content the user entered and render it safe. Don't strip their tags, just encode them so they appear as they were typed. Otherwise you wind up stripping things like <sarcasm> and <rant> tags. The intent of the user was not to inject HTML.
"Linux commands" have nothing to do with HTML. There is no way to execute arbitrary Linux commands through HTML/script injection.
What i have in mind is something such as ";ls -la"
If you are actually taking user-supplied input and executing it via system or something in that vein, you are already in trouble. This is a terrible idea and you shouldn't do it.
</rant>
Upvotes: 5
Reputation: 67019
You must always choose the right tool for the job. That being said $re = htmlentities(strip_tags($_GET['re']), ENT_COMPAT, "UTF-8"); should never be used for anything. The command is redundant which means you don't understand what its doing. It not very good at preventing xss because xss is an output problem.
To sanitize shell arguments you must use escpaeshellarg(). For XSS you should use:
htmlspecialchars($_GET['re'], ENT_QUOTES, "UTF-8");. However this doesn't stop all XSS and it doesn't do anything to stop SQL Injection.
Use parametrized queries for sql.
And all of that just scratches the surface read the OWASP top 10.
Upvotes: 4
Related Questions
- How can I sanitize user input with PHP?
- PHP input sanitizer?
- Sanitizing HTML input
- Sanitize User Input via PHP
- When don't you sanitize data?
- What is the best way to sanitize user inputs?
- Sanitizing user input, is it safe?
- PHP sanitisation for user input
- PHP: best security practices for displayed information?
- Where is the best place to sanitize user input that will be output on a webpage?