Securing $_GET & $_POST

[jcvenom]

This is a simple way to secure your $_GET & $_POST

function secure($string){

if(ini_get('magic_quotes_gpc') == 'off'){

	$string = addslashes($string)
} else {
	//$string = mysql_real_escape_string($string);
       /*There is not need to use mysql_real_escape_string as it only should be used for mysql it is there as and example*/
	$string = htmlentities($string);
//If its a string
if(is_string($string)) {
       $string = strip_tags(trim($string));
}

}

return $string;
}

How to use

$name = secure($_POST['name']));
if(secure($_POST['example'])){
}
if(secure($_GET['example'])){
}

Edited February 5, 2014 by jcvenom

[Guest]

Add slashes is the worst way, also using mysql_* as an example is also terrible. If your trying to help someone, please do it the right way.

Add slashes will.. add slashes when using ' so it will appear \' which is visually horrible.

Mysql_* is depreciated.

[jcvenom]

Add slashes is the worst way, also using mysql_* as an example is also terrible. If your trying to help someone, please do it the right way.

Add slashes will.. add slashes when using ' so it will appear \' which is visually horrible.

Mysql_* is depreciated.

It would be nice to provide an example

[Dave]

It would be nice to provide an example

If you use something like PDO you can secure the variables when you bind them. MySQLi also offers similar functionality.

Considering the MySQL PHP extension is actually deprecated as of version 5.5.0

This extension is deprecated as of PHP 5.5.0, and is not recommended for writing new code as it will be removed in the future. Instead, either the mysqli or PDO_MySQL extension should be used. See also the MySQL API Overview for further help while choosing a MySQL API.

http://www.php.net/manual/en/intro.mysql.php

Check out these links:

http://uk3.php.net/manual/en/intro.pdo.php

http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers

[jcvenom]

If you use something like PDO you can secure the variables when you bind them. MySQLi also offers similar functionality.

Considering the MySQL PHP extension is actually deprecated as of version 5.5.0

http://www.php.net/manual/en/intro.mysql.php

Check out these links:

http://uk3.php.net/manual/en/intro.pdo.php

http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers

Thank you will have a look

[Alan]

@op : Magic quotes itself is deprecated, and there's also a total lack of type checking, not to mention failure to use the function htmlentities correctly - Look at the documentation; essentially it changed how it operated relatively recently in that it now assumes utf-8 whereas previously it assumed iso-8859-1 which can be a nightmare to resolve.

Consider the chain of events:

user input => assertions for existence => type checking => range checking => database sanitation => output sanitation => browser output.

user input can be assumed to be anything from _GET, _POST, _COOKIE, _FILES and to an extent _SERVER and _ENV

assertions for existence - don't blindly assume the user has passed data - check it first (see array_key_exists, NOT isset)

type checking - both _GET and _POST elements can be arrays, you really need to check they are strings (not integers), but use the shortcut functions ctype_xxx if you can

range checking - fairly obvious; pages usually go from 1..numpages, so clamp values or ignore erroneous ones

data sanitation : mysql_escape_string() (for the mysql_xxx haters and `but mysql is deprecated` fans, read the C code, the function is mysql_real_escape_string - how you call it from PHP is up to you)

output sanitation - you need to prevent things like "<script>alert(1)</script>" getting through - so htmlentities is the final port of call - but use it properly.

If your server is correctly setup, stripslashes() should not be needed, addslashes() should never be used unless you want to rot in hell for eternity

in real terms:

for an int:

if (array_key_exists('varname', $_GET) && ctype_digit($_GET['varname'])) {
   $varname = $_GET['varname'];
   # range checking if required
}
else {
   # do what you will here
   header('HTTP/1.1 400 Bad Request');
   exit;
}

for a string

if (array_key_exists('varname', $_GET) && is_string($_GET['varname'])) {
   $varname = $_GET['varname'];
   # range checking if required (possibly in_array() if you are expecting one one of a few values ie "Male", "Female")
}
else {
   # do what you will here
   header('HTTP/1.1 400 Bad Request');
   exit;
}

etc.

[rockwood]

Its just an idea

function filter($var)
{
   return preg_replace('/[^a-zA-Z0-9]/', '', $var);//you can arrange replacements as per your requirement  
}

$getstr = filter($_POST['string']);

if(strcmp($getstr, $_POST['string']) === 0 ){
//statement here ----
    return true;
}else{
    header('HTTP/1.1 400 Bad Request');
}

Edited February 16, 2014 by rockwood

[Alan]

@rockwood - consider a faster, and more readable alternative:

if (array_key_exists('string', $_POST) && ctype_alnum($_POST['string'])) {
   // at this stage you have a possibly valid input in $_POST['string'] and while it won't be an empty
   // string, (ctype_alnum() returns false if passed ""), it may still need to be checked for excessive length.
}
else {
   header('HTTP/1.1 400 Bad Request');
   // don't forget to exit here, otherwise you will continue execution of the php file.
   exit;
}

preg_xxx functions are very useful, but not the fastest around; while the ctype_xxx functions are often direct calls to the underlying standard library (libc) equivalent which are *highly* optimized. Your use of a function to filter out unwanted characters is unnecessary and reduces code legibility considerably.