Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Where to sanitize PHP $_POST[] input?

Tags:

I am using codeigniter framework.

where should i sanitize PHP input - controller or model ?

like image 287
YD8877 Avatar asked Mar 08 '10 13:03

YD8877


People also ask

What is sanitize input in PHP?

Sanitizing data means removing any illegal character from the data. Sanitizing user input is one of the most common tasks in a web application. To make this task easier PHP provides native filter extension that you can use to sanitize the data such as e-mail addresses, URLs, IP addresses, etc.

How do you sanitize an array?

Just use filter_input_array() from the filter extension. /* prevent XSS. */ $_GET = filter_input_array(INPUT_GET, FILTER_SANITIZE_STRING); $_POST = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING); This will sanitize your $_GET and $_POST .


2 Answers

All of these answers relating to PHP methods in general but are irrelevant to CodeIgniter.

POST data

CodeIgniter automatically cleans your POST data when you use $this->input->post('item_name') if you have global_xss enabled in your config.php. If you only wish for specific items to be cleaned, you can use:

$this->input->post('item_name', TRUE);

Either way, you are safe from XSS attacks and other issues.

SQL injection

Anything being entered into the database is automatically escaped if you use ActiveRecord (insert(), update(), etc) or use the query() bindings.

$this->db->query('INSERT INTO bla (?, ?)', array($foo, $bar));

This is all escaped so no more faffing with what goes where. You can just code and leave security in the hands of the framework.

like image 180
Phil Sturgeon Avatar answered Nov 19 '22 17:11

Phil Sturgeon


I used to be a friend of centralizing sanitation as much as possible, but extensive discussion on SO (for example here) has changed my mind. Definitely worth a read.

I submit to you the following practice:

In a central validation routine, do no sanitation, or just "rough" checks (say, for data type) and size ("$_POST["category_name"] should not be larger than 200 bytes.")

Mark incoming variables as unsafe (e.g. $unsafe_id = $_POST["category_name"];). Store them in whatever controller / class / construct you have available for it.

Sanitize data where it is used. If incoming data is used in a exec call for example, do the necessary sanitation directly in front of the call:

  $safe_category_name = escapeshellargs($unsafe_category_name);
  exec("external_binary -category_name '$safe_category_name'");

if the same data is then used in a, say, mySQL query, again sanitize it in front of the call:

 $safe_category_name = mysql_real_escape_string ($unsafe_category_name);
 mysql_query("SELECT * FROM items WHERE category_name = '$safe_category_name'");

(this is just an example. If starting a project from scratch, you will want to use PDO and prepared statements, which takes away the hassle of escaping incoming data in this context.)

if the same data is then output in a web page, again do the sanitation directly in front of the call:

$safe_category_name = htmlspecialchars($unsafe_category_name);
echo "<span>$safe_category_name</span>";

This practice

  • Establishes a workflow that assumes there are unsafe variables that need to be dealt with first, which leads to a safer programming style IMO.

  • Prevents unnecessary conversions.

  • Helps fight the illusion that there is a one-click method to make input "safe." There isn't. Sanitation depends 100% on context.

like image 41
Pekka Avatar answered Nov 19 '22 18:11

Pekka