Warith AL Maawali

0 %
avatar
Warith AL Maawali
Driving cybersecurity excellence
Innovator behind Linux Kodachi
  • Residence:
    127.0.0.1
  • Uptime Binary:
    101110
  • Mantra:
    Innovate, Secure, Repeat
ONS
EEDS
NSSG
Visual basic
Delphi
Gambas
Bash
PHP
  • Infrastructures
  • Digital Forensics
  • Cryptocurrency
  • Cloud & Server Management
Download cv

Sanitize data and prevent SQL injections in php

07/06/2013
Sanitize data and prevent SQL injections in php

Importance of Data Sanitization in PHP: Preventing SQL and XSS Attacks

The reason for adding this blog is that sometimes when I code in PHP, I forget that data has to be sanitized before execution to prevent SQL or XSS attacks. The simplest way to make SQL injection difficult is to use either MySQLi or PDO prepared statements, as they keep the SQL queries and data inputs completely separated. Here are some examples:

However, if you need to use data sanitization in normal PHP statements, here are some effective methods that I use:

  1. Prepared Statements with MySQLi:
    • Use MySQLi prepared statements to ensure that SQL queries and data are processed separately, reducing the risk of SQL injection attacks.
  2. Prepared Statements with PDO:
    • Similar to MySQLi, PDO (PHP Data Objects) also supports prepared statements, providing a secure way to handle SQL queries.
  3. Sanitizing Data in PHP:
    • Use functions such as htmlspecialchars() and strip_tags() to sanitize user inputs and prevent XSS attacks.
    • Validate and sanitize data before using it in SQL queries or displaying it on a web page.

By following these practices, you can significantly reduce the risk of SQL and XSS attacks in your PHP applications, ensuring that your data is handled securely.

 

Methods:

 
Integer values:

// To SANITIZE Integer value use
$var=(filter_var($var, FILTER_SANITIZE_NUMBER_INT));

//example:
$theNumber="983928/2ddo@3233'0 or 1 '%^33)_23@''''$9123!@~#";
$theNumber=(filter_var($theNumber, FILTER_SANITIZE_NUMBER_INT));
echo $theNumber; 
//cleaned out put will be: 983928232330133239123

 

 

Email values:

//To SANITIZE email query value use
$var=(filter_var($var,  FILTER_SANITIZE_EMAIL));

//example:
$theEmail="warith@d\igi7/7.com";
$theEmail=(filter_var($theEmail,  FILTER_SANITIZE_EMAIL));
echo $theEmail;
//cleaned out put will be: warith@digi77.com;

 

 

String values:

//To SANITIZE String value use
function StringInputCleaner($data)
{
	//remove space bfore and after
	$data = trim($data); 
	//remove slashes
	$data = stripslashes($data); 
	$data=(filter_var($data, FILTER_SANITIZE_STRING));
	return $data;
}	
//example:
$myString="Welcome  here"; ;
$myString=StringInputCleaner($myString);
echo $myString;

 

 

Sql statements:

//To SANITIZE Sql query value use
function mysqlCleaner($data)
{
	$data= mysql_real_escape_string($data);
	$data= stripslashes($data);
	return $data;
	//or in one line code 
	//return(stripslashes(mysql_real_escape_string($data)));
}	

//example:
$insert="delete from vbtube_tubes WHERE tubeid =$row5[0]";
$insert= mysqlCleaner($insert);
mysql_query($insert);

 

 

Quik reference:

 

  • mysql_real_escape_string //—> used when inserting into database.
  • htmlentities() //—> used when outputing data into web page.
  • htmlspecialchars() //—> used if u want to display the html tags and not execute them.
  • strip_tags() //—> used when remove html tags.
  • addslashes() //—> used when u need to add extra front slash for every back slash.
  • stripslashes() //—> remove slashes.

 

More Santizing functions:

 

  • FILTER_SANITIZE_NUMBER_FLOAT
  • FILTER_SANITIZE_SPECIAL_CHARS
  • FILTER_SANITIZE_STRING
  • FILTER_SANITIZE_URL
  • FILTER_SANITIZE_ENCODED

 

 

Posted in Tech Blog by Warith Al MaawaliTags:
Previous
All posts
Next
© 2024 Warith AL Maawali. All Rights Reserved.
Stay Secure, Stay Assured.