Code Snippet
Sanitize Database Inputs
1) Function for stripping out malicious bits
<?php
function cleanInput($input) {
$search = array(
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
'@<[\/\!]*?[^<>]*?>@si', // Strip out HTML tags
'@<style[^>]*?>.*?</style>@siU', // Strip style tags properly
'@<![\s\S]*?--[ \t\n\r]*>@' // Strip multi-line comments
);
$output = preg_replace($search, '', $input);
return $output;
}
?>2) Sanitization function
Uses the function above, as well as adds slashes as to not screw up database functions.
<?php
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
?>Usage
<?php
$bad_string = "Hi! <script src='http://www.evilsite.com/bad_script.js'></script> It's a good day!";
$good_string = sanitize($bad_string);
// $good_string returns "Hi! It\'s a good day!"
// Also use for getting POST/GET variables
$_POST = sanitize($_POST);
$_GET = sanitize($_GET);
?>
I use my own functions as follow:
Where “fsk_” prefix is used for WYSIWYG editor variables. Works perfectly.
@iMaxEst: I think you may have missed the point here. Preparing data is just a side issue. Sanitizing data prevents code injection attacks.
stripslashes() != sanitize()
Really nice functions Chris! Neat way using regular Expressions these snippets will definetly find there way to my library script.
Thanks a bunch!
Why to clean the input from html/script tags?
You only have to worry about XSS when you prepare the output!
Protect your database through prepared statements and htmlspecialchars() will care about the output.
It seems like a good idea to clean input. Why do I want to store potentially malignant code in my database?
What about ASP ? anyone..
Phil, this can be used for ASP.NET:
AntiXSS protects against Cross Site Scripting and SQL Injection
http://wpl.codeplex.com/
These code snippets don’t come through very nicely via RSS. All the line breaks seem to disappear.
These are nigh useless and overly complicated; e.g. the html one simply matches anything with “<", so why not make that explicit? Currently that's all that expression does, all this extra stuff merely serves to obfuscate the issue. E.g. the javascript one doesn't work, all I have to do is add a space: "scripthere”, the browser will figure out what I meant, and the script will execute.
I apologize, whoever wrote this filter did it both right and wrong (wrong because they simply remove it, instead of escaping it, right because it catches it), I’ve cleaned it up with characters escaped by hand, this should work:
These are nigh useless and overly complicated; e.g. the html one simply matches anything with “<”, so why not make that explicit? Currently that’s all that expression does, all this extra stuff merely serves to obfuscate the issue. E.g. the javascript one doesn’t work, all I have to do is add a space: “< script>scripthere</script>”, the browser will figure out what I meant, and the script will execute.
Mines is pretty small and handy for getting rid of nasty hacking injections
<SCRIPT SRC=http://hackers.com/xss.js></SCRIPT>
this is just fantastic! truly smashing. Thank you.
mine simply strips out the brackets.
Hi,
We are looking for a consultant who could evaluate our website and check how vulnerable we are to these kind of malicious scripts.
Any recommendation?
Thanks,
Mark
Don’t know a consultant but I am reading “pro PHP security – from application security principles to the implementation of XSS defenses” which explains this stuff quite well
Mark, dunno if you’re still interested, but I’ve had several years of this line of work. There are several other areas of attacks that I can investigate for you as well. Simply contact me at http://www.matatechconsulting.com/contact/ for more details.
Chris, why use your regexes instead of PHP’s strip_tags(), as suggested by gibigbig? I don’t understand what functionality is added by going that route.
Glad I found. I was just thinking about this yesterday and needed a better fn.
Is the filter_var() fn any good? ie. filter_var($value, FILTER_SANITIZE_STRING)
Thanks for the tutorial, this is very useful
The safest way is to parameterise inputs by using classes such as PDO since PHP is a loosely typed language.
Or simply cast the inputs into the type that you would expect, e.g. Expect an integer? Just put (int) before the input. Type casting is the fastest operation to sanitize numbers.
Hi! It’s a good day!
I’m just testing how this works?
I think the satinize function needs a few lines of code, since these two values wont get filtered:
<script src=”js/jquery-1.6.4.min.js” />
<span><script src=”js/jquery-1.6.4.min.js”</span>
Thanks for listening
I mean, the cleanInput function. Sorry
Lol “evilsite.com”
I really do like the efficiency of this function though.
Nice functions Chris!
But when I tried them I got this error.
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user ''@'localhost' (using password: NO)
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in
and this is the line of code that is causing the error
$output = mysql_real_escape_string($input);from this Function for stripping out malicious bits
You need to form a connection to the database first, before using mysql_real_escape_string() otherwise it will error out.
I use this function for escaping date going into the database:
function escape($string = null)
{
if (empty($string))
{
return FALSE;
}
if (function_exists(‘mysql_real_escape_string’))
{
return mysql_real_escape_string($string);
}
else
{
return str_replace(“‘”, “\’”, $string);
}
}
As for tags and XSS, I use something a little more hardcore….when I say hardcore, it basicly strips out everything I don’t want, only allowing what is listed in an array I define in the script:-
public function input($string = null)
{
if (empty($string))
{
return ”;
}
// Strip out all bbcode
$string = preg_replace(‘/\[(.*?)\](.*?)\[\/?(.*?)\]/iu’, ‘\\2′, $string);
// Convert the ok markup to bbcode
$string = preg_replace(array_keys($this->markup), $this->markup, $string);
// Strip out all html tags
$string = preg_replace(‘/\(.*?)\/iu’, ‘\\2′, $string);
// Run strip tags to make sure we got everything
$string = strip_tags($string);
// Replace double quotes with single quotes
$string = preg_replace(‘/(“)+/u’, “‘”, $string);
// Matche one or more spaces and replaces it with a single space
$string = preg_replace(‘/( )+/u’, ‘ ‘, trim($string));
return trim($string);
}
Hope these two functions help others.
Matt :)
$_POST = sanitize($_POST);$_GET = sanitize($_GET);
That is the worst method of sanitizing that I have seen. You should NEVER store back in to the same data stream the sanitized inputs, the main reason is that the script can execute and a secondary submit following almost instantly can change the values of $_POST to something else other than what the inputs have been sanitized for.
This means any subsequent use of $_POST after the double post hack happens is tainted.
Storage of the sanitized inputs in to a safe variable is best option.
Operation of a white list is also a good idea, by only accepting inputs from specific POST fields, you also limit the ability of a POST hack through a variable that you may never be using.
Also… Strip_tags() exists for the same reason as
$search = array('@]*?>.*?@si', // Strip out javascript
'@<[\/\!]*?[^]*?>@si', // Strip out HTML tags
'@]*?>.*?@siU', // Strip style tags properly
'@@' // Strip multi-line comments
);
exists. The function removes the elements from a string and covers any HTML that can be used to break a server or script.
My main point here is that $_POST even if you sanitize it, the variable should not be trusted, things can change, what once existed nano seconds ago may not be the case when your program comes to use the variables. Your opening yourselves to trouble if you do not use a safe method of sanitizing and using data streams.
For the love of god and a safe web please don’t try to write your own sanitisation methods. Use an established, peer-reviewed library.
Read Pádraic Brady’s article “HTML Sanitisation: The Devil’s In The Details (And The Vulnerabilities)” for further details: http://blog.astrumfutura.com/2010/08/html-sanitisation-the-devils-in-the-details-and-the-vulnerabilities/
After doing extensive testing of my own method (which I posted above) using web vulnerability scanners, and running the same tests on the standard php methods, i.e strip_tags and the like, I prefer to stick to my own method.
But putting all this to one side, if any developer, customer or hosting provider truly cares about the security of there online products and servers, they would have the sense to deploy a server level unified security solution such as ASL (atomic secured linux), to protect from not only web level but also server level attacks.
I do.
DigWP
A book and blog co-authored by Jeff Starr and myself about the World's most popular publishing platform.
Quotes on Design
Design, like Art, can be an elusive word to define and an awfully fun thing to have opinions about.
HTML-Ipsum
One-click copy to clipboard access to Lorem Ipsum text that comes wrapped in a variety of HTML.
Bookshelf
Hey Chris, what books do you recommend? These, young fertile mind, these.