Sanitizing User Input with PHP
.Now we return to PHP programming. It can never be emphasized enough that han‐
dling user data is a security minefield, and that it is essential to learn to treat all such
data with utmost caution from the word go. It’s actually not that difficult to sanitize
user input from potential hacking attempts, but it must be done.
.Therefore, you must never trust any variable that you fetch from either the $_GET or
$_POST arrays until you have processed it. If you don’t, users may try to inject Java‐
Script into the data to interfere with your site’s operation, or even attempt to add
MySQL commands to compromise your database.
.Therefore, instead of just using code such as the following when reading in user
input:
$variable = $_POST['user_input'];
For example, to pre‐
vent escape characters from being injected into a string that will be presented to
MySQL, use the following:
$variable = $connection->real_escape_string($variable);
.You will, however, still need to sanitize input when
including it within HTML.
.To get rid of unwanted slashes, use this:
$variable = stripslashes($variable);
And to remove any HTML from a string, use the following:
$variable = htmlentities($variable);
For example, this would change a string of interpretable HTML code like <b>hi</b>
into <b>hi</b>, which displays as text, and won’t be interpreted as
HTML tags.
.Finally, if you wish to strip HTML entirely from an input, use the following (but
ensure you use it before calling htmlentities, which replaces any angle brackets
used as part of HTML tags):
.$variable = strip_tags($variable);
In fact, until you know exactly what sanitization you require for a program,
Example below shows a pair of functions that brings all these checks together to pro‐
vide a very good level of security.
<?php function sanitizeString($var)
{
$var = stripslashes($var);
$var = strip_tags($var);
$var = htmlentities($var);
return $var;
}
function sanitizeMySQL($connection, $var)
{
$var = $connection->real_escape_string($var);
$var = sanitizeString($var);
return $var;
}
?>
Real life Example Program
So let’s look at how a real-life PHP program integrates with an HTML form by creat‐
ing the program convert.php listed .Type it as shown and try it for
yourself.
. A program to convert values between Fahrenheit and Celsius
<?php // convert.php $f = $c = '';
if (isset($_POST['f'])) $f = sanitizeString($_POST['f']);
if (isset($_POST['c'])) $c = sanitizeString($_POST['c']);
if ($f != '')
{
$c = intval((5 / 9) * ($f - 32));
$out = "$f °f equals $c °c";
}
elseif($c != '')
{
$f = intval((9 / 5) * $c + 32);
$out = "$c °c equals $f °f";
}
else $out = "";
echo <<<_END;
<html>
<head>
<title>Temperature Converter</title>
</head>
<body>
<pre>
Enter either Fahrenheit or Celsius and click on Convert
<b>$out</b>
<form method="post" action="convert.php">
Fahrenheit <input type="text" name="f" size="7">
Celsius <input type="text" name="c" size="7">
<input type="submit" value="Convert">
</form>
</pre>
</body>
</html>
_END;
function sanitizeString($var)
{
$var = stripslashes($var);
$var = strip_tags($var);
$var = htmlentities($var);
return $var;
}
?>
0 Comments