Is htmlentities() and mysql_real_escape_string() enough for cleaning user input in PHP? [duplicate]

Question

I'm very new to PHP, basically I'm trying to create a commenting system for my site. I have the following function:

$input = $_POST['comment'];

function cleanUserInput($input) { $input = mysql_real_escape_string($input); $input = htmlentities($input); return $input; }

So the question is, is mysql_real_escape_string alone sufficient to prevent sql injection? and is htmlentities() sufficient to prevent scripts, html and styles entered by the user from having actual effect and just be shown as text?

Or do I need to add more to my function to make the input really harmless?

Answer 1

mysql_real_escape_string is NOT enough. You must also take into account how you structure your query. Consider the following simple login script:

$username = mysql_real_escape_string($_GET['username']);
$password = mysql_real_escape_string($_GET['password']);
$sql = "SELECT * FROM users WHERE username = $username AND password = $password";

without quotes around $username and $password, injection is STILL possible. (Consider a username = test; DROP TABLE users; --. Bye bye data! :(

mysql_real_escape_string is sufficient from a sanitization point IF you structure your query correctly. For a properly constructed query, this works fine.

A better question is "what are you trying to prevent?" You should also be aware of XSS (cross-site-scripting) stored and reflected. If you are storing input from users in your database and that data is rendered in the browser, you'll want to strip out <script> tags at the very least.

There are many filters and code available on line for this depending on your language. If you use Rails or CodeIgniter, it's done for you.

As far as this type of security is concerned, I recommend using the following:

1. download and install damn vulnerable web app. its an application designed to teach the ins and outs of web hacking (php-based)
2. always try to submit characters of a different charset
3. always try to submit the NULL byte
4. avoid passing too many parameters in the querystring (it can give away your data structure)
5. watch your logs
6. download burpsuite - you'll never look at a website the same way again
7. watch being chatty. mysql error messages are great for debugging, but they give away a ton of information - often times they reveal the whole query!

bottom line - if it comes from the user, it can't be trusted!

Answer 2

Both functions do solve a major part of the security issues regarding injections of any kind and some more problems, however, the amount of security bugs that your application can have is staggering.

If you are a security freak, then you're in for major problems, but you'll be allright by starting on checking Chris Shiftlett's website, who is one of the major authorities on PHP security around the world.

And finally you can check the OWASP web, and their Top Ten Project, where they keep track on the most common security threats and keep updates on hw to fight them,

Hope I can be of assistance.

Answer 3

If you're using PHP 5.2 or newer, you can use the built-in input sanitization.

For example:

$input = filter_input(INPUT_POST, 'comment', FILTER_SANITIZE_STRING);

References:

1. filter_input
2. Available filters