Escaping and Sanitising Data

Space_Cowboy

This might sound basic, but there are a few different ways this can be done, and a lot of people give different advice, and techniques?

But is there "officially" a best practice way for sanitising/escaping data when inserting/reading to/from a database?

Say for example I start with a form, submit the form- what methods should I use to make sure that the data im inserting into the database is clean and "safe".

Likewise, when I am pulling data out of the database and rendering it on screen, what is the best way of displaying the data, making sure it is also sanitised?

I use PHP5 and MySQL.

Many thanks

NogDog

With respect to SQL injection, probably the most portable solution is to use [man]PDO[/man] or some other DB abstraction layer, then use prepared statements. PHP's [man]mysqli[/man] interface also supports prepared statements.

If that is not a practical option at this time, then all you need to do to prevent SQL injection is to use the appropriate escaping function for the DB interface being used, e.g. [man]mysql_real_escape_string/man for the mysql interface (not to be confused with the newer mysqli interface mentioned above).

In either case, if there is any possibility that magic_quotes_gpc is enabled on your host, then you need to check if it's turned on via get_magic_quotes_gpc(), and if it is then undo its "damage" via [man]stripslashes/man before using the user-supplied data in either of the above methods.

The filtering/escaping of output to the browser is a bit more variable, as it depends in part on the type of data, and what you want to allow to be output. If the data should not be outputting any actual HTML tags, then you can use [man]htmlspecialchars/man or [man]htmlentities/man to convert any special characters to their related HTML character entities. If the data can contain some specific HTML tags, you can use [man]strip_tags/man and use its optional 2nd parameter to list the allowed tags.