Proper way to strip content before table insertion?

schwim

Hi there guys,

I'm trying to properly prepare some content added by a form before adding it to the db, and then properly display it from a page. I've found some info via the web concerning different things I want to strip, and then fix before displaying, but it seems I may have conglomerated one too many tutorials, because now, my data is all botched when it inserts into the db. Here's what I have

$title (no html/no illegal characters)
$active (just a single digit(0 or 1) to determine whether to show this. I'm inserting this as a hidden var, and have created the db table as "tiny_int")
$postdate (currently using $postdate =date("Y-m-d hⓂs");
$date2 = mktime();, I don't know why I have the date2, but it was in a tutorial)
$author (no html/no illegal characters)
$text , & allowed/no illegal characters)

Here's how I'm inserting and pulling from the db:

Insert:

$title = strip_tags(addslashes($title));
$postdate =date("Y-m-d h:m:s");
$date2 = mktime();
$author = strip_tags(addslashes($author));
$text = strip_tags(addslashes($text, '<p>', '<br>', '<b>');

Retrieve:

$title = stripslashes($title);
$postdate =date("Y-m-d h:m:s");
$date2 = mktime();
$author = stripslashes($author);
$text = stripslashes($text);

Am I going about this the right way? I would like to make sure that it's secure, and after browsing all of the functions I can find at php.net, it seems that these are the ones I need, but I'm getting double slashes, and the allowed html doesn't show up. I found the "magic_quotes" function, but I thought that I'd be doing something redundant if I used it with the stripslashes function.

thanks,
json

sneakyimp

well this line at least looks wrong...at the very least it's incorrect syntax:

$text = strip_tags(addslashes($text, '<p>', '<br>', '<b>');

as far as i know, addslashes only takes one arg. this might work better:

$text = strip_tags(addslashes($text), '<p>', '<br>', '<b>');

Generally speaking, there are a few things you need to worry about when putting user input into a database

1) is magic_quotes on?
magic_quotes is a php feature that (i think) is meant to protect clueless noobs from writing code that is vulnerable to sql injection. it takes single and double quotes and escapes them with a backslash. if magic quotes are on, I remove them like this:

// this fn recursively strips backslashes from an array
function jta_strip_backslashes_recursive($arg) {
        if (is_array($arg)) {
                $result = Array();
                foreach($arg as $key => $value) {
                        $result[$key] = jta_strip_backslashes_recursive($value);
                }
                return $result;
        } else {
                return stripslashes($arg);
        }
}

if (get_magic_quotes_gpc()==1) {
  // might wanna do $_POST first?  I don't recall which var is not defined
  // in later versions of php... think later versions no longer define $HTTP_POST_VARS
  $HTTP_POST_VARS = jta_strip_backslashes_recursive($HTTP_POST_VARS);
  $_POST = $HTTP_POST_VARS;
  $HTTP_GET_VARS = jta_strip_backslashes_recursive($HTTP_GET_VARS);
  $_GET = $HTTP_GET_VARS;
  $_REQUEST = jta_strip_backslashes_recursive($_REQUEST);
}

2) use of register globals
Most people think that if you POST or GET a form input named 'my_var' to a php page that the variable $my_var will automatically be defined within that php page. This is not always the case. $my_var will contain the value in that form input if you have 'register globals' on in your PHP ini. If I were you, I would avoid assuming those vars will be defined and instead refer to the long but more secure $POST['my_var'] and/or $GET['my_var'].

Having register globals on means that your code can be vulnerable to malicious users who take advantage of vars that you don't explicitly initialize. more here:
http://us2.php.net/register_globals

3) escaping data before doing an INSERT query
why do we addslashes? so when we take user input and stick it in a query, the query is still valid if the user input has quotes in it. eg.

INVALID SQL - see how the single quote breaks your sql:
INSERT INTO TABLE_X SET client_name='Jerry O'Malley';

VALID SQL - escaping that single quote makes everything cool:
INSERT INTO TABLE_X SET client_name='Jerry O\'Malley';

Anyways, addslashes might work on ' and " but maybe not on ` or some foreign language quote mark that your database engine nevertheless recognizes. that's why I use mysql_escape_string():
http://us2.php.net/mysql_escape_string

or maybe
mysql_real_escape_string():
http://us2.php.net/manual/en/function.mysql-real-escape-string.php

If you're not using mysql, there's probably an equivalent function for your database technology.

4) SCREEN THE USER INPUT
You can bet that evil hackers will take advantage of your site if you don't screen user input properly. Generally speaking i will do the following
a) for all numeric values, make sure data is actually a number using is_numeric() or some similar function
b) for all text values, remove the magic quotes and then use a proper database escape function like mysql_escape_string()

Hope that's helpful.

As for removing the tags, hmm.....apparently strip_tags doesn't work so well. You might try some pattern matching stuff like preg_replace. google around and you can probably find some.

schwim

Hi there sneakyimp, and thanks very much for your reply.

I didn't add it in the post, because I thought it was unnecessary, but I do use the POST[$var] when it's coming from the form. I don't know any other way to get the data in fact, as if I don't use that method, my data doesn't get inserted).

I will look into mysql_escape_string() and custom writing that crazy pregreplace stuff that I see. That seems like such a terrible way to strip dangerous stuff, as we're now counting on me to think of all the bad stuff to replace 😃

thanks again very much for your help,
json

sneakyimp

well if you're worried about dangerous html, you can use htmlspecialchars() to stop the html. it will convert a few special chars such as <, >, ", and ' into their special html codes. It's a pretty effective way to disable people putting html in their posts.

that crazy preg stuff, although difficult to master, is extremely powerful.

schwim

Hi there again,

Well, I want to allow some html, like bold, paragraphs, breaks, etc., so I can't strip all of the html from the submission.

I didn't mean to insinuate that the preg replace function was silly, just trusting myself to figure out how to use it. I tried altering a line in a forum script that was using it, and it honestly was like reading a foreign language. I never did figure out how it was doing what it was.

I think as a start I will use the mysql escape function, and try to find a way to use strip_tags in a way that allows some html tags to remain. As the script grows, I will try to use my incredibly savvy coding skills to write a competent safeguard against abuse.

Sounds like I know what the hell I'm doing, doesn't it? 😃

Thanks again very much for taking the time to help me. It helps more than you know to hear of functions that I wasn't aware of, because sometimes php.net doesn't cross reference things like the escape function.

thanks,
json

sneakyimp

pattern matching is like a foreign language. you can read more about it here:
http://us3.php.net/manual/en/reference.pcre.pattern.syntax.php
http://us3.php.net/manual/en/reference.pcre.pattern.modifiers.php

you might also try googling for 'regular expression tester'. here's one i found:
http://www.roblocher.com/technotes/regexp.aspx

schwim

sneakyimp wrote:
well this line at least looks wrong...at the very least it's incorrect syntax:
$text = strip_tags(addslashes($text, '', ' ', ''); 
as far as i know, addslashes only takes one arg. this might work better:
$text = strip_tags(addslashes($text), '', ' ', '');

Also sneaky, where you wrote the above. Am I missing where the second instance differs from the first, or did you forget to alter it? They look identical to me.

thanks,
json

schwim

Sorry, I think I see it now. I forgot an ending ")", right?

thanks,
json

schwim

Well, I can now testify to the fact that the following statement is not going to work:

$text = strip_tags (addslashes ($_POST['text']), '<p>', '<br>', '<b>');

I get the following error:

Warning: Wrong parameter count for strip_tags() in /usr/local/psa/home/vhosts/roughingthesuspect.com/httpdocs/automonial/submit.php on line 44

Which I guess is a kind way to say that I used the function improperly.

hehe, I really suck at this.

I'm off in search of selective html stripping methods.

thanks,
json

schwim

I found this in the comments under strip_tags function page on php.net:

function removeEvilAttributes($tagSource)
{
       $stripAttrib = "' (style|class)=\"(.*?)\"'i";
       $tagSource = stripslashes($tagSource);
       $tagSource = preg_replace($stripAttrib, '', $tagSource);
       return $tagSource;
}

function removeEvilTags($source)
{
   $allowedTags='<a><br><b><h1><h2><h3><h4><i>' .
             '<img><li><ol><p><strong><table>' .
             '<tr><td><th><u><ul>';
   $source = strip_tags($source, $allowedTags);
   return preg_replace('/<(.*?)>/ie', "'<'.removeEvilAttributes('\\1').'>'", $source);
}

$text = '<p style="Normal">Saluton el <a href="#?"
 class="xsarial">Esperanto-lando</a><img src="my.jpg"
 alt="Saluton" width=100 height=100></p>';

$text = removeEvilTags($text);

var_dump($text);

Does anyone see a reason why I shouldn't use this if I want to allow certain tags and disallow the rest? It's a very simple form, so I don't need to allow complex tags, and I'm not worried about it breaking xml and such, I just want to make sure it's secure.

thanks,
json

schwim

Please disregard this post. I figured out my mistake, and it was form based, not php.