Securing user input

GAMatt

I've read a lot on the forums about various methods of securing user input so it wont mess up my php pages, database or html output. I have got quite a list of functions i can use but am wondering if they are all necessary or which ones i should use in combination?

So far i'm using addslashes() on everything that goes into my databse, htmlentities() on any user input and was thinking about adding strip_tags() to that as well. Am i missing anything?

laserlight

i'm using addslashes() on everything that goes into my databse

This would only be useful if
a) you're using a database where backslashes are used for escape sequences, and
b) magic_quotes_gpc is 0

There might be more flexibility if you defined a function for dealing with database input.
From there you can tweak the input depending on database system and PHP settings.

Am i missing anything?

Probably not, but then your requirements seem simple enough, though rather restrictive.
e.g. users might want to post links, format text etc, so you need to handle that, unless you wish to simply deny such functions.

GAMatt

I didnt think about the text formating etc yet as it isnt going to needed for this part of the page, in fact i wanted to block it on purpose to stop people adding formating to usernames etc.

This is for login / registration and displaying usernames / emails and the such. However it will be an issue later on.....

I suppose addslashes will still be fine as i will strip them before its displayed anyway.

I guess the problem is im not really sure what i need to stop and what i can let go through safely, what tags / characters could be used to cause me trouble?

laserlight

I suppose addslashes will still be fine as i will strip them before its displayed anyway.

It would be better to check that magic_quotes_gpc is 0, then use addslashes().
You would not need to use stripslashes() data retrieved from the database.

I guess the problem is im not really sure what i need to stop and what i can let go through safely, what tags / characters could be used to cause me trouble?

Generally, htmlspecialchars() is enough to take care of malicious code injection.

GAMatt

Yeah the script i use first checks for magic_quotes_gpc and then uses addslashes if necessary.

Thanks for the help 🙂

Oh just thought of something else.... I've always been advised to store database connection functions in a file outside the web directory, however if im renting server space i assume i wont be able to do this, will keeping it in a .php file be secure enough?

bradgrafelman

For all intent and purposes... you can usually just store them in a .php file.

There are many permission-based solutions to use when securing files from prying eyes. Placing the www user in the same group as your shell account, and CHMOD'ing so only owner has read/write access, grouped users have read, and normal users have no access, etc. If you're renting webspace however, and (most likely) don't have shell access (SSH, telnet, etc.), it's hard mess with permissions much.

I could go on and on, but to make a long story short: stick them in a PHP script, and if you have any PHP download scripts, ensure that they are validating what directory the files are coming from (so that it doesn't allow someone to download the actual .php file).