Importance of Data Sanitization in PHP: Preventing SQL and XSS Attacks
The reason for adding this blog is that sometimes when I code in PHP, I forget that data has to be sanitized before execution to prevent SQL or XSS attacks. The simplest way to make SQL injection difficult is to use either MySQLi or PDO prepared statements, as they keep the SQL queries and data inputs completely separated. Here are some examples:
However, if you need to use data sanitization in normal PHP statements, here are some effective methods that I use:
- Prepared Statements with MySQLi:
- Use MySQLi prepared statements to ensure that SQL queries and data are processed separately, reducing the risk of SQL injection attacks.
- Prepared Statements with PDO:
- Similar to MySQLi, PDO (PHP Data Objects) also supports prepared statements, providing a secure way to handle SQL queries.
- Sanitizing Data in PHP:
- Use functions such as
htmlspecialchars()
andstrip_tags()
to sanitize user inputs and prevent XSS attacks. - Validate and sanitize data before using it in SQL queries or displaying it on a web page.
- Use functions such as
By following these practices, you can significantly reduce the risk of SQL and XSS attacks in your PHP applications, ensuring that your data is handled securely.
Methods:
Integer values:
// To SANITIZE Integer value use
$var=(filter_var($var, FILTER_SANITIZE_NUMBER_INT));
//example:
$theNumber="983928/2ddo@3233'0 or 1 '%^33)_23@''''$9123!@~#";
$theNumber=(filter_var($theNumber, FILTER_SANITIZE_NUMBER_INT));
echo $theNumber;
//cleaned out put will be: 983928232330133239123
Email values:
//To SANITIZE email query value use
$var=(filter_var($var, FILTER_SANITIZE_EMAIL));
//example:
$theEmail="warith@d\igi7/7.com";
$theEmail=(filter_var($theEmail, FILTER_SANITIZE_EMAIL));
echo $theEmail;
//cleaned out put will be: warith@digi77.com;
String values:
//To SANITIZE String value use
function StringInputCleaner($data)
{
//remove space bfore and after
$data = trim($data);
//remove slashes
$data = stripslashes($data);
$data=(filter_var($data, FILTER_SANITIZE_STRING));
return $data;
}
//example:
$myString="Welcome here"; ;
$myString=StringInputCleaner($myString);
echo $myString;
Sql statements:
//To SANITIZE Sql query value use
function mysqlCleaner($data)
{
$data= mysql_real_escape_string($data);
$data= stripslashes($data);
return $data;
//or in one line code
//return(stripslashes(mysql_real_escape_string($data)));
}
//example:
$insert="delete from vbtube_tubes WHERE tubeid =$row5[0]";
$insert= mysqlCleaner($insert);
mysql_query($insert);
Quik reference:
- mysql_real_escape_string //—> used when inserting into database.
- htmlentities() //—> used when outputing data into web page.
- htmlspecialchars() //—> used if u want to display the html tags and not execute them.
- strip_tags() //—> used when remove html tags.
- addslashes() //—> used when u need to add extra front slash for every back slash.
- stripslashes() //—> remove slashes.
More Santizing functions:
- FILTER_SANITIZE_NUMBER_FLOAT
- FILTER_SANITIZE_SPECIAL_CHARS
- FILTER_SANITIZE_STRING
- FILTER_SANITIZE_URL
- FILTER_SANITIZE_ENCODED
Posted in Tech Blog