Hold Tight...

0 %
Warith AL Maawali
Driving cybersecurity excellence
Innovator behind Linux Kodachi
  • Residence:
    ::0
  • Uptime Binary:
    101110
  • Mantra:
    Innovate, Secure, Repeat
ONS
EEDS
NSSG
Visual basic
Gambas
PHP
Delphi
Bash
  • Cybersecurity
  • Generative AI
  • Cloud & Automation
  • Cryptocurrency

Sanitize data and prevent SQL injections in php

07/06/2013

Importance of Data Sanitization in PHP: Preventing SQL and XSS Attacks

The reason for adding this blog is that sometimes, when I code in PHP, I forget that data has to be sanitized before execution to prevent SQL or XSS attacks. The simplest way to make SQL injection difficult is to use either MySQLi or PDO prepared statements, as they keep the SQL queries and data inputs wholly separated. Here are some examples:

However, if you need to use data sanitization in regular PHP statements, here are some effective methods that I use:

  1. Prepared Statements with MySQLi:
    • Use MySQLi prepared statements to ensure that SQL queries and data are processed separately, reducing the risk of SQL injection attacks.
  2. Prepared Statements with PDO:
    • Similar to MySQLi, PDO (PHP Data Objects) also supports prepared statements, providing a secure way to handle SQL queries.
  3. Sanitizing Data in PHP:
    • Use functions such as htmlspecialchars() and strip_tags() to sanitize user inputs and prevent XSS attacks.
    • Validate and sanitize data before using it in SQL queries or displaying it on a web page.

By following these practices, you can significantly reduce the risk of SQL and XSS attacks in your PHP applications, ensuring that your data is handled securely.

Methods:

 
Integer values:

PHP
// To SANITIZE Integer value use
$var=(filter_var($var, FILTER_SANITIZE_NUMBER_INT));

//example:
$theNumber="983928/2ddo@3233'0 or 1 '%^33)_23@''''$9123!@~#";
$theNumber=(filter_var($theNumber, FILTER_SANITIZE_NUMBER_INT));
echo $theNumber; 
//cleaned out put will be: 983928232330133239123
PHP

Email values:

PHP
//To SANITIZE email query value use
$var=(filter_var($var,  FILTER_SANITIZE_EMAIL));

//example:
$theEmail="warith@d\igi7/7.com";
$theEmail=(filter_var($theEmail,  FILTER_SANITIZE_EMAIL));
echo $theEmail;
//cleaned out put will be: warith@digi77.com;
PHP

String values:

PHP
//To SANITIZE String value use
function StringInputCleaner($data)
{
	//remove space bfore and after
	$data = trim($data); 
	//remove slashes
	$data = stripslashes($data); 
	$data=(filter_var($data, FILTER_SANITIZE_STRING));
	return $data;
}	
//example:
$myString="Welcome  here"; ;
$myString=StringInputCleaner($myString);
echo $myString;
PHP

Sql statements:

PHP
//To SANITIZE Sql query value use
function mysqlCleaner($data)
{
	$data= mysql_real_escape_string($data);
	$data= stripslashes($data);
	return $data;
	//or in one line code 
	//return(stripslashes(mysql_real_escape_string($data)));
}	

//example:
$insert="delete from vbtube_tubes WHERE tubeid =$row5[0]";
$insert= mysqlCleaner($insert);
mysql_query($insert);
PHP

Quick reference: 

PHP
mysql_real_escape_string //---> used when inserting into database.

htmlentities() //---> used when outputing data into web page.

htmlspecialchars() //---> used if u want to display the html tags and not execute them.

strip_tags() //---> used when remove html tags.

addslashes() //---> used when u need to add extra front slash for every back slash.

stripslashes() //---> remove slashes.
PHP

More Santizing functions: 

PHP
FILTER_SANITIZE_NUMBER_FLOAT

FILTER_SANITIZE_SPECIAL_CHARS

FILTER_SANITIZE_STRING

FILTER_SANITIZE_URL

FILTER_SANITIZE_ENCODED
PHP

 

Posted in Tech BlogTags:
© 2024 Warith AL Maawali. All Rights Reserved.
Stay Secure, Stay Assured.