Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is "filter input, escape output" still valid with PDO

Tags:

security

php

sql-injection

xss

pdo

I've read this before "filter input, escape output" but is filtering input really needed when I use PDO with PHP? I thought with PDO I don't need to filter input because the prepared statement takes care of sql injections. I think "escape output" is still valid, but is "filter input" still valid?

like image 592
sami Avatar asked Nov 18 '10 18:11

sami

4 Answers

Yes, it is still valid.

Filtering is not about preventing security vulnerabilities, it's about not populating your database with garbage. If you're expecting a date, make sure it at least looks like a date prior to storing it.

Escaping output is about preventing security vulnerabilities (namely XSS or Cross Site Scripting).

So yes, both are quite important and are totally unrelated to SQL Injection (although a fair number of developers still confuse filtering with escaping for SQL queries and hence can still be subject to vulnerabilities)...

like image 181
ircmaxell Avatar answered Nov 11 '22 07:11

ircmaxell

Depending on what the data you're saving is, yes it can still be valid.

For example, let's say you have a comment box and a user writes a message containing HTML markup. In this case you would often want to remove the said HTML markup from the comment text, even if it ended up being escaped (afterall, it probably won't look very nice).

There are other cases too, like if you have a phone number field, you might want to filter it so it's in the specific format your application uses and so on.

like image 32
Jani Hartikainen Avatar answered Nov 11 '22 06:11

Jani Hartikainen

Always filter user input. Always. Maybe you're protecting against attacks, or maybe you're performing business rule validation, etc. Keep in mind that there is no technology or procedure that will prevent all attacks, only attacks it was specifically designed to prevent. SQL injection isn't the only problem to avoid.

like image 3
David Avatar answered Nov 11 '22 05:11

David

As per sql-injection and security, if you're using PDO properly with bind variables, no you don't need to sanitize. But as Jani pointed out, depending on the data you are saving, such as a text field which doesn't allow html, you might want to sanitize your data, or if the field should be a number, running parseInt() on it or something. But this isn't going to be required to security, but for your own database sanity. It's kind of ugly when someone tries to put html in a comment and you spit it out and you see > < etc.

like image 1
superfro Avatar answered Nov 11 '22 07:11

superfro
Sign in to Comment

Related questions

Laravel 5.4 - 'updateOrCreate' method. Check If record was 'updated' or 'created'
Correct @elseif syntax in Blade of Laravel
Is there a maximum amount of iterations PHP can loop?
Insert array values into database in laravel
POST file along with form data Vue + axios
How to fix : "Sensio\Bundle\FrameworkExtraBundle\Configuration\Route" is deprecated
DNS and nginx server setup causes slow server and 502 response
PhpStorm: Invocation with class name is deprecated
How to get Google Contacts information using Google OAuth?
Updating Google Chart dynamically with PHP and JavaScript
How many lines of PHP code is too many for one file?
Issues using a Fedex Webservice via WSDL/SOAP
Using <input> tags directly inside <table>
Codeigniter Session Data not available in other pages after login
16 bytes binary form of canonical uuid representation in php
How to upload a picture for an event using the Facebook Graph API?
Using strtotime for dates before 1970
How to format date from timestamp in PHP?
How to develop alert system like facebook using PHP and Jquery?
Create mysql trigger via PHP?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!