Sanitize data and prevent SQL injections in php

Sanitize data and prevent SQL injections in php

The reason for adding this blog is sometimes when I code in php I normally forget that data has to be sanitized before executing to prevent or XSS attacks. The simplest way to make SQL injection hard is to use either Mysqli or PDO prepare statements – Examples – as it keeps the SQL and data inputs completely separated. However if you need to use them on normal php statements here are good methods that I use.

 

Methods:

 
Integer values:


// To SANITIZE Integer value use
$var=(filter_var($var, FILTER_SANITIZE_NUMBER_INT));

//example:
$theNumber="983928/2ddo@3233'0 or 1 '%^33)_23@''''$9123!@~#";
$theNumber=(filter_var($theNumber, FILTER_SANITIZE_NUMBER_INT));
echo $theNumber; 
//cleaned out put will be: 983928232330133239123

 


 

Email values:


//To SANITIZE email query value use
$var=(filter_var($var,  FILTER_SANITIZE_EMAIL));

//example:
$theEmail="warith@d\igi7/7.com";
$theEmail=(filter_var($theEmail,  FILTER_SANITIZE_EMAIL));
echo $theEmail;
//cleaned out put will be: warith@digi77.com;

 


 

String values:


//To SANITIZE String value use
function StringInputCleaner($data)
{
	//remove space bfore and after
	$data = trim($data); 
	//remove slashes
	$data = stripslashes($data); 
	$data=(filter_var($data, FILTER_SANITIZE_STRING));
	return $data;
}	
//example:
$myString="Welcome <script> alert('\Hi digi77.com')</script> here"; ;
$myString=StringInputCleaner($myString);
echo $myString;
//cleaned out put will be: Welcome alert('Hi digi77.com') here

 


 

Sql statments:


//To SANITIZE Sql query value use
function mysqlCleaner($data)
{
	$data= mysql_real_escape_string($data);
	$data= stripslashes($data);
	return $data;
	//or in one line code 
	//return(stripslashes(mysql_real_escape_string($data)));
}	

//example:
$insert="delete from vbtube_tubes WHERE tubeid =$row5[0]";
$insert= mysqlCleaner($insert);
mysql_query($insert);

 


 

Quik refrence:

 

  • mysql_real_escape_string //—> used when inserting into database.
  • htmlentities() //—> used when outputing data into web page.
  • htmlspecialchars() //—> used if u want to display the html tags and not execute them.
  • strip_tags() //—> used when remove html tags.
  • addslashes() //—> used when u need to add extra front slash for every back slash.
  • stripslashes() //—> remove slashes.

 

More Santizing functions:

 

  • FILTER_SANITIZE_NUMBER_FLOAT
  • FILTER_SANITIZE_SPECIAL_CHARS
  • FILTER_SANITIZE_STRING
  • FILTER_SANITIZE_URL
  • FILTER_SANITIZE_ENCODED

 


 

Digiprove sealCopyright protected by Digiprove © 2013 Eagle Eye Digital Solutions
JOIN OUR NEWSLETTER
Amazing people have subscribed to our newsletter — and you’re amazing too!
We hate spam. Your email address will not be sold or shared with anyone else.
The following two tabs change content below.
Warith Al Maawali
W. AL Maawali is the Founder and Chief Editor of Eagle Eye Digital Solutions from the Sultanate of Oman with over 20 years experience in Security and Digital Forensics. He is also the Founder of om77.net.
SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).

4 comments

  1. I caution everyone against using mysql_real_escape_string(). You really should be using Prepared Statements instead.

    Also, your last example (“Sql statements”) appears to be very misguided. There isn’t some magic function that predicts what you want and saves you from hackers. You have to be very explicit. The best way to do this is to separate your data from the instructions that operate on said data.

    This advice is pretty dangerous. I’d strongly recommend revising it. Our team publishes a lot of blog posts about security engineering if you’re interested in reading up on the subject.

    • Dear Paragon Initiative Enterprises,

      If you have read the blog from the beginning you would have seen that I have recommended to use Prepared Statements to start with.

      Thank you for your advice please do share good example if you have.

  2. Dear Walid,

    As far as I know magic quotes will help but not prevent so the answer is Yes it can be injected because magic quotes uses PHP’s addslashes() function which is not unicode aware this means multi-byte characters are not escaped.

  3. I’m wondring if the website can be injected when the Magic Quotes in server is ON

commentJoin the Discussion

Pin It on Pinterest