Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

input sanitization VS validation

Tags:

php

I've implemented input validation on all of my input data using php (as well as js on the front-end). I'm type casting where I can, validating stuff like emails against a regex, making sure dropdown values are only ones I'm expecting and also in many cases where I'm expecting only a string I have a regex that runs that only allows letters, numbers and spaces. Anything that doesn't meet these rules results in the form failing validation and no sql queries are run.

With that said if my form passes validation I'm making the assumption that it's safe for input in to my db (which I'm doing via pdo) and then escaped on output.

So with that said why do I need input sanitization?

like image 867
Mike Rifgin Avatar asked Jul 04 '13 15:07

Mike Rifgin


People also ask

Is validation the same as sanitization?

Validation, generally speaking, is the process of ensuring that the data we are about to work with both exists and is what we expect it to be. Sanitization, in general, is the process of preparing data to be sent to the database and ensuring it is safe to be entered.

What does it mean to sanitize input?

Sanitization may include the elimination of unwanted characters from the input by means of removing, replacing, encoding, or escaping the characters. Sanitization may occur following input (input sanitization) or before the data is passed across a trust boundary (output sanitization).

Why is it important to add input sanitisation and input validation to your code?

By using both input validation and input sanitization, a web application creates more layers of security. These methods of input handling can be performed on either the client-side or the server-side.

What is the meaning of input validation?

Input validation is the process of testing input received by the application for compliance against a standard defined within the application. It can be as simple as strictly typing a parameter and as complex as using regular expressions or business logic to validate input.


2 Answers

If you have very strict validation server-side, you don't need to sanatize. Eg. validating a string against /^[a-z0-9]{5,25}$/ will not need any sanitization (removing non alphanumeric characters will not make any sense, since they should not be able to pass anyway).

Just make sure you can validate all data, and if that's impossible (e.g. with html it tends to be a bit difficult), you can use escaping strategies or things like html purifier.

For a good overview on escaping strategies for XSS prevention: see https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

For an idea of different security threats: https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet

like image 65
Arend Avatar answered Oct 13 '22 01:10

Arend


You need both. Validating input data is easily beaten at the client side, but it's useful for legitimate users who aren't trying to hack you. Sanitize the data (all the data, whether it's input data or something straight from your DB that you think you should be able to trust) before putting it into your database.

Even if you 100% trust your validation and do it on the server side (where, in theory, people shouldn't be able to mess with the data), it's still worth using some form of sanitizing because it's a good habit to get into.

like image 30
Grim... Avatar answered Oct 12 '22 23:10

Grim...