0

Upon receiving an input from a user, I am doing the following on my server (with PHP):

$safe_input = ereg_replace("[^A-Za-z0-9-]", "", $_GET["input"]);

Then I am using the $safe_input variable for SQL queries and also printing it to the user's screen.

Does that guarantee that no injection of any sort (SQL injection, XSS, etc.) is possible?

Thanks,

Joel

Improve this question
1
  • Never mix data validation and data escaping. Validation rules may change someday Commented Jan 2, 2011 at 23:57

2 Answers 2

Reset to default
2

Well, what it does is ensure that you're only allowing A-Z (upper or lower), numerics, and the "-" dash character in your $safe_input string.

In theory, your SQL could still be munged by someone adding "--" to an input in order force the latter part of the statement to be treated as an SQL comment.

Something as simple as what you've posted is not a solution to malicious code injection - and will most likely cause you issues down the line when you want to allow a user to send characters other than the ones you've explicitly allowed.

You should look at 3rd party PHP libraries that specifically deal with this kind of thing - there are plenty out there for SQL and XSS prevention. Or even look at the server level and think about adding one of the Apache modules available for this task (providing you're using Apache of course...). By going down this route you'll be taking a much more holistic approach to protection - and you'll be leveraging expertise in this area, rather than trying to re-invent this particular wheel for your project.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

First of all ereg family of functions is deprecated, you should use preg family of functions instead:

Don't limit users to just A-Za-z0-9-. I would suggest you to go for:

HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited,
secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications.

You can customize as to what is accepted and what is rejected.

Interesting:

It is interesting to note that Kohana the improved alternative of CodeIgniter also supports HTML Purifier for security.

As for SQL injection, the least you can do is to use mysql_real_escape_string function. The better way is to use prepared statements though.

Improve this answer

1 Comment

Thanks for the answer, I will use HTMLPurifier, I was not aware of its existence! I will also switch to the preg function

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.