Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

PHP secure user variable

Tags:

security

sql

php

mysql

On my website I have a variable called $user_data that contains input from a form. I then show this variable on the user page (via echo).

What is the best method to avoid any security risks with this variable? I use strip_tags(), but it is not enough.

This variable also gets saved to a MySQL database.

like image 594
James Avatar asked Aug 21 '10 17:08

James

1 Answers

There are two very important things you must do to avoid serious security problems.

  1. You need to escape the user input before putting it in your SQL query. Escaping means escape all the special characters such as '; luckily, there is a function that already does it automatically: mysql_real_escape_string.

    If you don't escape user input nasty things could happen. Imagine that your query is INSERT INTO userdata VALUES ('$user_data'). Now imagine that the user wrote '; DROP DATABASE userdata;.

    If you don't escape it, your query will become: INSERT INTO userdata VALUES (''; DROP DATABASE userdata;'). As you can imagine this is not good: if you have multi statements enabled you can kiss goodbye to your database. This is called an SQL Injection attack.

  2. When you are outputting your variable to the user you also need to properly replace HTML special characters with HTML entities. Luckily, there is a function to do that too: htmlspecialchars(). It will transform the special HTML characters such as < to &lt;.

    This seems to be a problem that is often underestimated, but in reality it's very serious. Imagine if $user_data contains <script>SomeNastyScript()</script>. It could exploit existing vulnerabilities in the browser of your users, or it could send a non-HTTPOnly cookie (that may contain saved passwords) to the attacker, or it could trick the user into writing their password on a form generated through the manipulation of the DOM (possible in javascript), or a lot of other bad things.

    This is called XSS (Cross-site scripting).

Short version

  1. Call mysql_real_escape_string on the string before inserting it into your SQL query (but not when you echo it).

  2. Call htmlspecialchars on the string before displaying it to the user (but not when you put it in the database).

like image 60
Thomas Bonini Avatar answered Sep 18 '22 00:09

Thomas Bonini
Sign in to Comment

Related questions

Replace the Variable Price range by the chosen variation price in WooCommerce 4+
Fastest way to insert/update a million rows in Laravel 5.7
how to save base64 image decode to public folder in laravel
How to check if table is already joined in Laravel Query Builder
how to add twig-view in slimframework v4
Can't generate API documentation in l5-swagger
Authenticator LOGIN returned Expected response code 235 but got code "535", with message "535 Incorrect authentication data "
How to get user data in form in Symfony 1.2?
Starting with versioning mysql schemata without overkill. Good solutions?
Normalize the case of array keys in PHP
how to setup url friendly in yii framework automatically
When can there be data in both $_GET and $_POST
How to check if there are only spaces in string in PHP?
PHP: How to capture browser window screen with php?
Extra backslash needed in PHP regexp pattern
install imap in windows
How to securely pass credit card information between pages in PHP
Should the function or the caller be responsible for input validation?
Strip bad Windows filename characters
php output with sleep()

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!