8 Replies Latest reply on Aug 17, 2007 11:17 AM by Newsgroup_User

    PHP escaping user input

    MikeL7 Level 1
      I have been using strip_tags(addslashes($_POST['user_input'])) to clean-up user input, but am wondering about get_magic_quotes and get_magic_quotes_gpc, should i use magic quotes or addslashes, some articles say they are the same, but they are different. What about htmlentities() before inserting, how many of these functions can you use and are needed to be 'safe' from most injection attacks?

      strip_tags(htmlentities(addslashes($_POST['user_input'])))
      any others?
        • 1. Re: PHP escaping user input
          Level 7
          MikeL7 wrote:
          > I have been using strip_tags(addslashes($_POST['user_input'])) to clean-up user
          > input, but am wondering about get_magic_quotes and get_magic_quotes_gpc, should
          > i use magic quotes or addslashes, some articles say they are the same, but they
          > are different. What about htmlentities() before inserting, how many of these
          > functions can you use and are needed to be 'safe' from most injection attacks?

          You shouldn't use addslashes or magic quotes for the very important
          reason that magic quotes are being phased out of PHP. Although PHP 6 is
          probably a long way off, magic quotes are being removed completely.
          Also, addslashes is less safe than the tongue- and finger-twisting
          mysql_real_escape_string().

          The following page in the PHP manual shows you how to turn off magic quotes.

          http://www.php.net/manual/en/security.magicquotes.disabling.php

          If you can use .htaccess on your remote server, that's the best way.
          Otherwise, use the script in Example 31.2.

          Then pass your variables to mysql_real_escape_string() before inserting
          into a database:

          http://www.php.net/manual/en/function.mysql-real-escape-string.php

          When processing user input for use with mail(), you need to run checks
          for suspect phrases, particularly in the email field.

          --
          David Powers, Adobe Community Expert
          Author, "The Essential Guide to Dreamweaver CS3" (friends of ED)
          Author, "PHP Solutions" (friends of ED)
          http://foundationphp.com/
          • 2. Re: PHP escaping user input
            Level 7
            .oO(MikeL7)

            >I have been using strip_tags(addslashes($_POST['user_input'])) to clean-up user
            >input, but am wondering about get_magic_quotes and get_magic_quotes_gpc, should
            >i use magic quotes or addslashes, some articles say they are the same, but they
            >are different. What about htmlentities() before inserting, how many of these
            >functions can you use and are needed to be 'safe' from most injection attacks?
            >
            > strip_tags(htmlentities(addslashes($_POST['user_input'])))
            > any others?

            Forget that, you'll just corrupt the data. In addition do David's reply:

            You should always work with _raw_ data inside of your application and
            use target-dependent esacaping mechanisms. The first thing to take care
            of when getting data into your script are the magic quotes. If you can't
            turn them off, check with get_magic_quotes_gpc() and use stripslashes()
            if necessary to remove these crappy slashes (magic quotes are dead).

            When writing that stuff to a database, use a DB-specific escaping
            function - and _only_ that. You really don't want to store HTML in your
            DB unless you have special requirements and know what you're doing. For
            MySQL use mysql_real_escape_string(). Even better would be to use PDO
            and prepared statements, but this might not always be available on cheap
            hosts.

            When printing out stuff to a HTML page, use htmlspecialchars() - and
            _only_ that. It will take care of the few chars that have a special
            meaning in HTML and have to be written as character references.

            There's hardly a reason to use strip_slashes(), and there's nearly never
            a reason to use addslashes().

            In short: Think about where your data is supposed to go and only use the
            required escaping functions for that particular target.

            Micha
            • 3. Re: PHP escaping user input
              MikeL7 Level 1
              I have made a function to clean user input, and decided to just remove any of the characters that could cause problems (single and double quotes, forward and backward slash, percent symbol), i wanted to know what other characters i should add to my remove_characters array to make the input safe. I can add more php functions to clean data and i think this is what Michael Fesser meant to use in his post. If i remove quotes and slashes with str_replace no need for magic quotes, or escape string? return ($forum_user_comments);

              function clean_input($user_input)
              {
              $user_input = strip_tags($user_input);
              $remove_characters = array('"', "'", "/", "%", '\'');
              $user_input = str_replace($remove_characters, "", $user_input);
              return $user_input;
              }
              • 4. Re: PHP escaping user input
                Level 7
                .oO(MikeL7)

                >I have made a function to clean user input, and decided to just remove any of
                >the characters that could cause problems (single and double quotes, forward and
                >backward slash, percent symbol)

                What about a name database and "Miles O'Brian"?

                >, i wanted to know what other characters i
                >should add to my remove_characters array to make the input safe.

                Such a blacklist approach can never be absolutely secure. There are
                better ways.

                >I can add more
                >php functions to clean data and i think this is what Michael Fesser meant to
                >use in his post.

                Not exactly. I would _never_ remove any chars from user input if the
                value is supposed to be a string. My scripts accept everything - but I
                decide how to handle it! If the data is supposed to go straight into a
                database it is pushed through a prepared statement with a declared
                "string" type and that's it. If the same value is supposed to be printed
                on a web page - it's passed through htmlspecialchars() and that's it. I
                would never remove any characters unless it's _really_ necessary. But
                until now I've never seen a necessity to remove any chars.

                >If i remove quotes and slashes with str_replace no need for
                >magic quotes, or escape string? return ($forum_user_comments);

                The input string itself could contain escaped characters or something
                like CHAR(39) for example.

                Micha
                • 5. Re: PHP escaping user input
                  MikeL7 Level 1
                  The name thing would be a problem, what i am working on is a slide show using flash that users can upload pictures and input descriptions of the pic, also make and name the albums, a db driven photo site.
                  The problem is if a user inputs a " or ' in the name of the album part of the flash slide show script displays on the page, if the user puts a quote in the description, the slide show doesn't show up at all, i am thinking that for this use i should remove the quotes and put a disclaimer on the input form.

                  I just tested again and either single or double quotes ruins the script for the slideshow?

                  • 6. Re: PHP escaping user input
                    Level 7
                    .oO(MikeL7)

                    > The problem is if a user inputs a " or ' in the name of the album part of the
                    >flash slide show script displays on the page, if the user puts a quote in the
                    >description, the slide show doesn't show up at all, i am thinking that for this
                    >use i should remove the quotes and put a disclaimer on the input form.

                    No. You just have to properly escape those characters when inserting
                    them into the DB and when printing the text out again.

                    > I just tested again and either single or double quotes ruins the script for
                    >the slideshow?

                    Of course they do, because you have a bug in your script. For writing a
                    string into a MySQL database there is mysql_real_escape_string() (or
                    prepared statements), for printing something out to an HTML page there
                    is htmlspecialchars().

                    With a proper handling/escaping where necessary your users can enter
                    whatever they want without breaking anything.

                    Micha
                    • 7. Re: PHP escaping user input
                      MikeL7 Level 1
                      I changed my functions to use htmlspecialchars and mysql_real_escape_string, and the flash slide show still doesnt work, i am using the out of the box slide show DW inserts into the page. The only thing i did was add the string for image paths from my db, the quotes break the flash script I think it is because the script uses quotes to define the captions
                      \'caption text here\', \'next picture caption here\'
                      • 8. Re: PHP escaping user input
                        Level 7
                        .oO(MikeL7)

                        >I changed my functions to use htmlspecialchars and mysql_real_escape_string,
                        >and the flash slide show still doesnt work, i am using the out of the box slide
                        >show DW inserts into the page. The only thing i did was add the string for
                        >image paths from my db, the quotes break the flash script I think it is because
                        >the script uses quotes to define the captions
                        > \'caption text here\', \'next picture caption here\'

                        Hmm, sorry, then I can't help with this.

                        Micha