03-08-2012, 10:21 AM
Input Of Data
I have also seen a lot of security problems in open source scripts, and in general posts on forums like this. Security is one of the fundamental things that every programmer must learn, which is why im going to make a quick guide here.
Upon input (protecting against SQL Injection), you should only need to use one of the following functions below (you can use other functions, such as trim() but it’s not necessary for security):
So let’s go through each of the functions listed above.
You will have noticed I grouped them. The first three functions, is_numeric(), intval() and ctype_alnum() are used to limit the users input, there for preventing any malicious input. The functions above are pretty self explanatory, but I will quickly brush over them:
Lastly we have the hash() function. The first parameter you pass to it is the type of hash, and the second is what you would like hashed. This is mainly done upon passwords for security:
We do not need to sanitise the output of that because it will regurgitate a hexadecimal string only (0-9, a-f).
Output Of Data
Next, we have output from the database. This is to prevent Cross-Site Scripting (XSS) attacks. There are one of two functions you can use for this:
The only difference between htmlspecialchars() and htmlentites() is that the former function translates only special characters (&, ', ", <, >). Whereas the latter function translates all characters which have HTML character entity equivalents (into those entities).
I have always been taught to only escape data upon input to the database, and then to properly sanitise it (with functions such as htmlspecialchars()) upon output of data from the database.
I have also seen a lot of security problems in open source scripts, and in general posts on forums like this. Security is one of the fundamental things that every programmer must learn, which is why im going to make a quick guide here.
Upon input (protecting against SQL Injection), you should only need to use one of the following functions below (you can use other functions, such as trim() but it’s not necessary for security):
PHP Code:
intval()
is_numeric()
ctype_alnum()
mysql_real_escape_string()
addslashes()
hash()
So let’s go through each of the functions listed above.
You will have noticed I grouped them. The first three functions, is_numeric(), intval() and ctype_alnum() are used to limit the users input, there for preventing any malicious input. The functions above are pretty self explanatory, but I will quickly brush over them:
- is_numeric() will make sure that a number has a numerical value. It can contain only one full stop (for a decimel place). If your string does not apply with the above, it will fail and return FALSE.
- intval() will only allow integer values (whole numbers), and if it finds anything else, then it will stop and take the numbers it has found (if any):
PHP Code:$a = '123sd987.h4';
echo intval($a);
//outputs 123 - ctype_alnum() restricts the users input to only alphanumerical characters (0-9, A-Z, a-z).
Lastly we have the hash() function. The first parameter you pass to it is the type of hash, and the second is what you would like hashed. This is mainly done upon passwords for security:
PHP Code:
$pws = '123abc';
//you can also salt the password, but I will leave that out for now
$secured = hash('sha512', $pws);
Output Of Data
Next, we have output from the database. This is to prevent Cross-Site Scripting (XSS) attacks. There are one of two functions you can use for this:
PHP Code:
htmlspecialchars()
htmlentites()
The only difference between htmlspecialchars() and htmlentites() is that the former function translates only special characters (&, ', ", <, >). Whereas the latter function translates all characters which have HTML character entity equivalents (into those entities).
I have always been taught to only escape data upon input to the database, and then to properly sanitise it (with functions such as htmlspecialchars()) upon output of data from the database.