Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is "enough sanitization" for a URL [duplicate]

The URL would be

  1. Saved to a MySQL database
  2. Used to display a picture on the user's profile

would strip_tags() and mysql_real_escape_string() be enough?

like image 701
aslum Avatar asked Jan 12 '10 02:01

aslum


2 Answers

"Enough sanitization" thoroughly depends on what environment you're talking about. Sanitization for MySQL should be considered entirely separate from sanitization for web output, and you should handle them separately to avoid a lot of hassle.

Sanitizing for MySQL

  • mysql_real_escape_string() will sanitize a piece of data and make it safe to put inside an SQL query.
  • Any other type of malicious data, such as HTML tags inside the string, should be absolutely ignored. Trying to manipulate it here will lead you to headaches as you try to "un-manipulate" it later after getting it out of the database. Bad "web data" cannot harm your database.

Sanitizing for output

  • htmlspecialchars($val) at output time will prevent any malicious tags from being rendered, because < and > characters are converted into their entity representations and not rendered as tag delimiters.
  • Use the ENT_QUOTES modifier if you are outputting something that is inside an HTML element's quoted attribute, such as <input name="email" value="<?php echo htmlspecialchars($email,ENT_QUOTES); ?>" />

That should be all you need, unless you have special requirements. strip_tags() shouldn't really be used for sanitization, as it can be fooled with badly formed HTML. Sanitization is a worthy goal, and if you can keep your contexts separate, you'll run into fewer problems with data manipulation between them.

like image 115
zombat Avatar answered Oct 16 '22 09:10

zombat


It's probably safer and better to call htmlentities() on the string instead of counting on strip_tags().

strip_tags() won't remove html special chars like '"&

e.g., if your code is:

<img src="<?= strip_tags($myVar) ?>">

and

$myVar = '">something goes here<';

then you end up with:

<img src="">something goes here<">

Which is pretty obviously the root of an XSS hole; an actual exploit is left as an exercise for the reader.

like image 41
Frank Farmer Avatar answered Oct 16 '22 10:10

Frank Farmer