|
PHP - Sanitizing, How's The Best Way Of Doing It?
I have been reading this:
http://www.phpro.org/tutorials/Filtering-Data-with-PHP.html#11 I am curious, how does one actually sanitize a php script? I know the site shows how to do it, but it really doesn't show in real world how to do it. Let me give you an example: Code: [Select] <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>PDI NCMR Admin Panel</title> <!--[if IE]><link rel="stylesheet" type="text/css" href="../CSS/ie.css" /><![endif]--> <!--[if !IE]> <--><link rel="stylesheet" type="text/css" href="../CSS/pdi.css" /><!--> <![endif]--></head> <body> <?php echo '<div id="admin">'; //Show the navagation menu require_once('../hf/nav.php'); echo '<hr id="line">'; echo '<h2 id="title">Latest NCMRs </h2>'; // Connect to the database require_once('../connectvars.php'); $dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); // Retrieve the data from MySQL $query = "SELECT * FROM ncmr"; $data = mysqli_query($dbc, $query); echo '<table>'; echo '<tr><th>NCMR ID  </th><th>Part  </th><th>Date  </th><th>Actions  </th></tr>'; while ($row = mysqli_fetch_array($data)) { // Display the data echo '<tr class="ncmrdata">'; echo '<td>' . $row['NCMR_ID'] .'    </td>'; echo '<td>' . $row['Nexx_Part_Description'] .'  </td>'; echo '<td>' . date("M d,Y",strtotime($row['Added_By_Date'])) . '&  </td>'; echo '<td><a href="viewncmr.php?id=' . $row['id'] . '">Comment</a></strong>  <strong><a href="editncmr.php?id=' . $row['id'] . '">Edit</a>  <a href="printncmr.php?id=' . $row['id'] . '">Print</a>'; echo '</td></tr>'; } echo '</table>'; mysqli_close($dbc); require_once('../hf/footer.php') ?> </body> </html> How do I sanitize this? Or is it for inputs only? Similar TutorialsI'm researching ways that my server can be vulnerable. So far, I've strongly relied on regex to sanitize anything susceptible to user input/manipulation. Should I be trying other methods? Should I be changing input to html entities, even though they're bypassed w/ regex? Any recommendations on other methods to secure my server besides securing user input? What is the best way to santize a user input What covers it all without leaving the text with slashes Do i just need to escape my variables, or no i need to sanitize my queries as well? Whats the whole kitten kaboodle, anyone? In lieu of prepared statements, will this work effectively? Is it overkill? $username = mysqli_real_escape_string($conn,$_POST["username"]); $username = strip_tags(trim($username)); Can I write it this way: $username = mysqli_real_escape_string($conn,strip_tags(trim($_POST["username"]))); Are prepared statements a guarantee for defeating an injection attack? Or should they be used in conjunction with the above (or other) coding to bolster a database's defenses? I'm attempting to thoroughly sanitize my PHP app to avoid common exploits, and am working on guarding from SQL injections and such. I'm using mysql_real_escape_string for data that comes from the user. I have a number of instances of the following: $ip = $_SERVER['REMOTE_ADDR']; $page = $_SERVER['PHP_SELF']; And then using those values to query or update SQL. Is it a best practice to also sanitize this sort of data? |
|||||||