Code Snippet
Sanitize Database Inputs
1) Function for stripping out malicious bits
<?php
function cleanInput($input) {
$search = array(
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
'@<[\/\!]*?[^<>]*?>@si', // Strip out HTML tags
'@<style[^>]*?>.*?</style>@siU', // Strip style tags properly
'@<![\s\S]*?--[ \t\n\r]*>@' // Strip multi-line comments
);
$output = preg_replace($search, '', $input);
return $output;
}
?>2) Sanitization function
Uses the function above, as well as adds slashes as to not screw up database functions.
<?php
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
?>Usage
<?php
$bad_string = "Hi! <script src='http://www.evilsite.com/bad_script.js'></script> It's a good day!";
$good_string = sanitize($bad_string);
// $good_string returns "Hi! It\'s a good day!"
// Also use for getting POST/GET variables
$_POST = sanitize($_POST);
$_GET = sanitize($_GET);
?>
I use my own functions as follow:
Where “fsk_” prefix is used for WYSIWYG editor variables. Works perfectly.
@iMaxEst: I think you may have missed the point here. Preparing data is just a side issue. Sanitizing data prevents code injection attacks.
stripslashes() != sanitize()
Really nice functions Chris! Neat way using regular Expressions these snippets will definetly find there way to my library script.
Thanks a bunch!
Why to clean the input from html/script tags?
You only have to worry about XSS when you prepare the output!
Protect your database through prepared statements and htmlspecialchars() will care about the output.
It seems like a good idea to clean input. Why do I want to store potentially malignant code in my database?
What about ASP ? anyone..
Phil, this can be used for ASP.NET:
AntiXSS protects against Cross Site Scripting and SQL Injection
http://wpl.codeplex.com/
These code snippets don’t come through very nicely via RSS. All the line breaks seem to disappear.
These are nigh useless and overly complicated; e.g. the html one simply matches anything with “<", so why not make that explicit? Currently that's all that expression does, all this extra stuff merely serves to obfuscate the issue. E.g. the javascript one doesn't work, all I have to do is add a space: "scripthere”, the browser will figure out what I meant, and the script will execute.
I apologize, whoever wrote this filter did it both right and wrong (wrong because they simply remove it, instead of escaping it, right because it catches it), I’ve cleaned it up with characters escaped by hand, this should work:
These are nigh useless and overly complicated; e.g. the html one simply matches anything with “<”, so why not make that explicit? Currently that’s all that expression does, all this extra stuff merely serves to obfuscate the issue. E.g. the javascript one doesn’t work, all I have to do is add a space: “< script>scripthere</script>”, the browser will figure out what I meant, and the script will execute.
Mines is pretty small and handy for getting rid of nasty hacking injections
<SCRIPT SRC=http://hackers.com/xss.js></SCRIPT>
this is just fantastic! truly smashing. Thank you.
mine simply strips out the brackets.
Hi,
We are looking for a consultant who could evaluate our website and check how vulnerable we are to these kind of malicious scripts.
Any recommendation?
Thanks,
Mark
Don’t know a consultant but I am reading “pro PHP security – from application security principles to the implementation of XSS defenses” which explains this stuff quite well
Mark, dunno if you’re still interested, but I’ve had several years of this line of work. There are several other areas of attacks that I can investigate for you as well. Simply contact me at http://www.matatechconsulting.com/contact/ for more details.
Chris, why use your regexes instead of PHP’s strip_tags(), as suggested by gibigbig? I don’t understand what functionality is added by going that route.
Glad I found. I was just thinking about this yesterday and needed a better fn.
Is the filter_var() fn any good? ie. filter_var($value, FILTER_SANITIZE_STRING)
Thanks for the tutorial, this is very useful
The safest way is to parameterise inputs by using classes such as PDO since PHP is a loosely typed language.
Or simply cast the inputs into the type that you would expect, e.g. Expect an integer? Just put (int) before the input. Type casting is the fastest operation to sanitize numbers.
Hi! It’s a good day!
I’m just testing how this works?