How can I sanitize user input with PHP

Question

Is there a catchall function somewhere that works well for sanitizing user input for SQL injection and XSS attacks  while still allowing certain types of HTML tags

User · Answer

There is the filter extension  howto-link  manual   which works pretty well with all GPC variables  It s not a magic-do-it-all thing though  you will still have to use it

User · Answer

No  there is not   First of all  SQL injection is an input filtering problem  and XSS is an output escaping one - so you wouldn t even execute these two operations at the same time in the code lifecycle   Basic rules of thumb   For SQL query  bind parameters  as with PDO  or use a driver-native escaping function for query variables  such as mysql real escape string    Use strip tags   to filter out unwanted HTML Escape all other output with htmlspecialchars   and be mindful of the 2nd and 3rd parameters here

User · Answer

You never sanitize input  You always sanitize output  The transforms you apply to data to make it safe for inclusion in an SQL statement are completely different from those you apply for inclusion in HTML are completely different from those you apply for inclusion in Javascript are completely different from those you apply for inclusion in LDIF are completely different from those you apply to inclusion in CSS are completely different from those you apply to inclusion in an Email     By all means validate input - decide whether you should accept it for further processing or tell the user it is unacceptable  But don t apply any change to representation of the data until it is about to leave PHP land  A long time ago someone tried to invent a one-size fits all mechanism for escaping data and we ended up with  quot magic quotes quot  which didn t properly escape data for all output targets and resulted in different installation requiring different code to work

User · Answer

There s no catchall function  because there are multiple concerns to be addressed    SQL Injection - Today  generally  every PHP project should be using prepared statements via PHP Data Objects  PDO  as a best practice  preventing an error from a stray quote as well as a full-featured solution against injection  It s also the most flexible  amp  secure way to access your database    Check out  The only proper  PDO tutorial for pretty much everything you need to know about PDO   Sincere thanks to top SO contributor   YourCommonSense  for this great resource on the subject   XSS - Sanitize data on the way in       HTML Purifier has been around a long time and is still actively updated  You can use it to sanitize malicious input  while still allowing a generous  amp  configurable whitelist of tags  Works great with many WYSIWYG editors  but it might be heavy for some use cases  In other instances  where we don t want to accept HTML Javascript at all  I ve found this simple function useful  and has passed multiple audits against XSS         Prevent XSS input    function sanitizeXSS            GET     filter input array INPUT GET  FILTER SANITIZE STRING         POST    filter input array INPUT POST  FILTER SANITIZE STRING         REQUEST    array   POST    array   GET    array   REQUEST     XSS - Sanitize data on the way out    unless you guarantee the data was properly sanitized before you add it to your database  you ll need to sanitize it before displaying it to your user  we can leverage these useful PHP functions     When you call echo or print to display user-supplied values  use htmlspecialchars unless the data was properly sanitized safe and is allowed to display HTML  json encode is a safe way to provide user-supplied values from PHP to Javascript  Do you call external shell commands using exec   or system   functions  or to the backtick operator  If so  in addition to SQL Injection  amp  XSS you might have an additional concern to address  users running malicious commands on your server  You need to use escapeshellcmd if you d like to escape the entire command OR escapeshellarg to escape individual arguments

User · Answer

PHP 5 2 introduced the filter var function   It supports a great deal of SANITIZE  VALIDATE filters   http   php net manual en function filter-var php

User · Answer

What you are describing here is two separate issues     Sanitizing   filtering of user input data  Escaping output    1  User input should always be assumed to be bad   Using prepared statements  or and filtering with mysql real escape string is definitely a must  PHP also has filter input built in which is a good place to start   2  This is a large topic  and it depends on the context of the data being output  For HTML there are solutions such as htmlpurifier out there  as a rule of thumb  always escape anything you output   Both issues are far too big to go into in a single post  but there are lots of posts which go into more detail   Methods PHP output  Safer PHP output

User · Answer

Never trust user data   function  clean input  data         data   trim  data        data   stripslashes  data        data   htmlspecialchars  data       return   data      The trim   function removes whitespace and other predefined characters from both sides of a string   The stripslashes   function removes backslashes  The htmlspecialchars   function converts some predefined characters to HTML entities   The predefined characters are    amp   ampersand  becomes  amp amp     double quote  becomes  amp quot     single quote  becomes  amp  039   lt   less than  becomes  amp lt   gt   greater than  becomes  amp gt

User · Answer

Just wanted to add that on the subject of output escaping  if you use php DOMDocument to make your html output it will automatically escape in the right context  An attribute  value     and the inner text of a  lt span gt  are not equal  To be safe against XSS read this  OWASP XSS Prevention Cheat Sheet

User · Answer

It s a common misconception that user input can be filtered  PHP even has a  now deprecated   quot feature quot   called magic-quotes  that builds on this idea  It s nonsense  Forget about filtering  or cleaning  or whatever people call it   What you should do  to avoid problems  is quite simple  whenever you embed a a piece of data within a foreign code  you must treat it according to the formatting rules of that code  But you must understand that such rules could be too complicated to try to follow them all manually  For example  in SQL  rules for strings  numbers and identifiers are all different  For your convenience  in most cases there is a dedicated tool for such an embedding  For example  when you need to use a PHP variable in the SQL query  you have to use a prepared statement  that will take care of all the proper formatting treatment  Another example is HTML  If you embed strings within HTML markup  you must escape it with htmlspecialchars  This means that every single echo or print statement should use htmlspecialchars  A third example could be shell commands  If you are going to embed strings  such as arguments  to external commands  and call them with exec  then you must use escapeshellcmd and escapeshellarg  Also  a very compelling example is JSON  The rules are so numerous and complicated that you would never be able to follow them all manually  That s why you should never ever create a JSON string manually  but always use a dedicated function  json encode   that will correctly format every bit of data  And so on and so forth     The only case where you need to actively filter data  is if you re accepting preformatted input  For example  if you let your users post HTML markup  that you plan to display on the site  However  you should be wise to avoid this at all cost  since no matter how well you filter it  it will always be a potential security hole

User · Answer

Methods for sanitizing user input with PHP     Use Modern Versions of MySQL and PHP  Set charset explicitly     mysqli- set charset  utf8   manual  pdo   new PDO  mysql host localhost dbname testdb charset UTF8    user   password  manual   pdo- exec  set names utf8   manual    pdo   new PDO   mysql host  host dbname  db    user   pass   array  PDO  ATTR ERRMODE    PDO  ERRMODE EXCEPTION  PDO  MYSQL ATTR INIT COMMAND     SET NAMES utf8      manual mysql set charset  utf8     deprecated in PHP 5 5 0  removed in PHP 7 0 0    Use secure charsets    Select utf8  latin1  ascii    dont use vulnerable charsets big5  cp932  gb2312  gbk  sjis   Use spatialized function    MySQLi prepared statements    stmt    mysqli- prepare  SELECT   FROM test WHERE name     LIMIT 1     param      OR 1 1      stmt- bind param  s    param   stmt- execute    PDO  quote   - places quotes around the input string  if required  and escapes special characters within the input string  using a quoting style appropriate to the underlying driver  pdo   new PDO  mysql host localhost dbname testdb charset UTF8    user   password  explicit set the character set pdo- setAttribute PDO  ATTR EMULATE PREPARES  false  disable emulating prepared statements to prevent  fallback to emulating statements that MySQL can t prepare natively  to prevent injection  var     pdo- quote    OR 1 1      not only escapes the literal  but also quotes it  in single-quote   characters   stmt    pdo- query  SELECT   FROM test WHERE name    var LIMIT 1     PDO Prepared Statements  vs MySQLi prepared statements supports more database drivers and named parameters   pdo   new PDO  mysql host localhost dbname testdb charset UTF8    user   password  explicit set the character set pdo- setAttribute PDO  ATTR EMULATE PREPARES  false  disable emulating prepared statements to prevent  fallback to emulating statements that MySQL can t prepare natively  to prevent injection   stmt    pdo- prepare  SELECT   FROM test WHERE name     LIMIT 1     stmt- execute     OR 1 1        mysql real escape string  deprecated in PHP 5 5 0  removed in PHP 7 0 0   mysqli real escape string Escapes special characters in a string for use in an SQL statement  taking into account the current charset of the connection  But recommended to use Prepared Statements because they are not simply escaped strings  a statement comes up with a complete query execution plan  including which tables and indexes it would use  it is a optimized way  Use single quotes       around your variables inside your query   Check the variable contains what you are expecting for    If you are expecting an integer  use   ctype digit     Check for numeric character s   value    int   value  value   intval  value   var   filter var  0755   FILTER VALIDATE INT   options   For Strings use  is string       Find whether the type of a variable is stringUse Filter Function filter var       filters a variable with a specified filter  email   filter var  email  FILTER SANITIZE EMAIL   newstr   filter var  str  FILTER SANITIZE STRING  more predefined filters filter input       Gets a specific external variable by name and optionally filters it  search html   filter input INPUT GET   search   FILTER SANITIZE SPECIAL CHARS   preg match       Perform a regular expression match  Write Your own validation function

User · Answer

Do not try to prevent SQL injection by sanitizing input data   Instead  do not allow data to be used in creating your SQL code   Use Prepared Statements  i e  using parameters in a template query  that uses bound variables   It is the only way to be guaranteed against SQL injection   Please see my website http   bobby-tables com  for more about preventing SQL injection

User · Answer

Easiest way to avoid mistakes in sanitizing input and escaping data is using PHP framework like Symfony  Nette etc  or part of that framework  templating engine  database layer  ORM    Templating engine like Twig or Latte has output escaping on by default - you don t have to solve manually if you have properly escaped your output depending on context  HTML or Javascript part of web page    Framework is automatically sanitizing input and you should t use   POST    GET or   SESSION variables directly  but through mechanism like routing  session handling etc   And for database  model  layer there are ORM frameworks like Doctrine or wrappers around PDO like Nette Database   You can read more about it here - What is a software framework

User · Answer

PHP has the new nice filter input functions now  that for instance liberate you from finding  the ultimate e-mail regex  now that there is a built-in FILTER VALIDATE EMAIL type  My own filter class  uses JavaScript to highlight faulty fields  can be initiated by either an ajax request or normal form post   see the example below                Pork FormValidator     Validates arrays or properties by setting up simple arrays       Note that some of the regexes are for dutch input      Example           validations   array  name    gt   anything   email    gt   email   alias    gt   anything   pwd   gt  anything   gsm    gt   phone   birthdate    gt   date         required   array  name    email    alias    pwd         sanitize   array  alias            validator   new FormValidator  validations   required   sanitize                            if  validator- gt validate   POST                   POST    validator- gt sanitize   POST              now do your saving    POST has been sanitized          die  validator- gt getScript     lt script type  text javascript  gt alert  saved changes    lt  script gt               else               die  validator- gt getScript                      To validate just one element      validated   new FormValidator  - gt validate  blah bla     email           To sanitize just one element      sanitized   new FormValidator  - gt sanitize   lt b gt blah lt  b gt     string            package pork     author SchizoDuckie     copyright SchizoDuckie 2008     version 1 0     access public     class FormValidator       public static  regexes   Array               date    gt     0-9  1 2  -   0-9  1 2  -   0-9  4                   amount    gt     -   0-9                    number    gt     -   0-9                     alfanum    gt     0-9a-zA-Z   -   s                        not empty    gt    a-z0-9A-Z                  words    gt     A-Za-z   A-Za-z   s                    phone    gt     0-9  10 11                   zipcode    gt     1-9  0-9  3  a-zA-Z  2                   plate    gt      0-9a-zA-Z  2  -   2  0-9a-zA-Z  2                   price    gt     0-9           -         0-9  2                      2digitopt    gt     d     d 2                     2digitforce    gt     d    d d                  anything    gt      d D  1                 private  validations   sanatations   mandatories   errors   corrects   fields        public function   construct  validations array     mandatories   array     sanatations   array                   this- gt validations    validations           this- gt sanitations    sanitations           this- gt mandatories    mandatories           this- gt errors   array             this- gt corrects   array                          Validates an array of items  if needed  and returns true or false                    public function validate  items                 this- gt fields    items           havefailures   false          foreach  items as  key  gt  val                        if  strlen  val     0    array search  key   this- gt validations      false   amp  amp  array search  key   this- gt mandatories      false                                  this- gt corrects      key                  continue                             result   self  validateItem  val   this- gt validations  key                if  result     false                     havefailures   true                   this- gt addError  key   this- gt validations  key                              else                                this- gt corrects      key                                   return   havefailures                                 Adds unvalidated class to thos elements that are not validated  Removes them from classes that are              public function getScript             if  empty  this- gt errors                          errors   array                foreach  this- gt errors as  key  gt  val     errors       INPUT name   key                      output         implode       errors     addClass  unvalidated                    output     new FormValidator   showMessage                        if  empty  this- gt corrects                          corrects   array                foreach  this- gt corrects as  key     corrects       INPUT name   key                     output          implode       corrects     removeClass  unvalidated                            output     lt script type  text javascript  gt   output   lt  script gt            return  output                                 Sanitizes an array of items according to the  this- gt sanitations        sanitations will be standard of type string  but can also be specified         For ease of use  this syntax is accepted          sanitations   array  fieldname    otherfieldname   gt  float                public function sanitize  items                foreach  items as  key  gt  val                        if array search  key   this- gt sanitations      false  amp  amp   array key exists  key   this- gt sanitations   continue               items  key    self  sanitizeItem  val   this- gt validations  key                      return  items                                 Adds an error to the errors array               private function addError  field   type  string                  this- gt errors  field     type                               Sanitize a single var according to  type         Allows for static calling to allow simple sanitization             public static function sanitizeItem  var   type                 flags   NULL          switch  type                        case  url                    filter   FILTER SANITIZE URL              break              case  int                    filter   FILTER SANITIZE NUMBER INT              break              case  float                    filter   FILTER SANITIZE NUMBER FLOAT                   flags   FILTER FLAG ALLOW FRACTION   FILTER FLAG ALLOW THOUSAND              break              case  email                    var   substr  var  0  254                    filter   FILTER SANITIZE EMAIL              break              case  string               default                   filter   FILTER SANITIZE STRING                   flags   FILTER FLAG NO ENCODE QUOTES              break                      output   filter var  var   filter   flags                   return  output                                 Validates a single var according to  type         Allows for static calling to allow simple validation                     public static function validateItem  var   type                if array key exists  type  self   regexes                          returnval    filter var  var  FILTER VALIDATE REGEXP  array  options   gt  array  regexp   gt     self   regexes  type    i         false              return  returnval                      filter   false          switch  type                        case  email                    var   substr  var  0  254                    filter   FILTER VALIDATE EMAIL                  break              case  int                    filter   FILTER VALIDATE INT              break              case  boolean                    filter   FILTER VALIDATE BOOLEAN              break              case  ip                    filter   FILTER VALIDATE IP              break              case  url                    filter   FILTER VALIDATE URL              break                    return   filter     false    false   filter var  var   filter      false   true   false                      Of course  keep in mind that you need to do your sql query escaping too depending on what type of db your are using  mysql real escape string   is useless for an sql server for instance   You probably want to handle this automatically at your appropriate application layer like an ORM  Also  as mentioned above  for outputting to html use the other php dedicated functions like htmlspecialchars     For really allowing HTML input with like stripped classes and or tags depend on one of the dedicated xss validation packages  DO NOT WRITE YOUR OWN REGEXES TO PARSE HTML

User · Answer

If you re using PostgreSQL  the input from PHP can be escaped with pg escape string      username   pg escape string   POST  username       From the documentation  http   php net manual es function pg-escape-string php       pg escape string   escapes a string for querying the database  It returns an escaped string in the PostgreSQL format without quotes

User · Answer

One trick that can help in the specific circumstance where you have a page like  mypage id 53 and you use the id in a WHERE clause is to ensure that id definitely is an integer  like so   if  isset   GET  id          id     GET  id      settype  id   integer       result   mysql query  SELECT   FROM mytable WHERE id     id         now use the result     But of course that only cuts out one specific attack  so read all the other answers   And yes I know that the code above isn t great  but it shows the specific defence

User · Answer

No   You can t generically filter data without any context of what it s for   Sometimes you d want to take a SQL query as input and sometimes you d want to take HTML as input   You need to filter input on a whitelist -- ensure that the data matches some specification of what you expect   Then you need to escape it before you use it  depending on the context in which you are using it   The process of escaping data for SQL - to prevent SQL injection - is very different from the process of escaping data for  X HTML  to prevent XSS

User · Answer

Do not try to prevent SQL injection by sanitizing input data   Instead  do not allow data to be used in creating your SQL code   Use Prepared Statements  i e  using parameters in a template query  that uses bound variables   It is the only way to be guaranteed against SQL injection   Please see my website http   bobby-tables com  for more about preventing SQL injection

User · Answer

To address the XSS issue  take a look at HTML Purifier  It is fairly configurable and has a decent track record   As for the SQL injection attacks  make sure you check the user input  and then run it though mysql real escape string    The function won t defeat all injection attacks  though  so it is important that you check the data before dumping it into your query string   A better solution is to use prepared statements  The PDO library and mysqli extension support these

[php] How can I sanitize user input with PHP?

Examples related to php

Examples related to security

Examples related to xss

Examples related to sql-injection

Examples related to user-input