Some time ago i wrote a post about query string and i think i pretty well covered that topic, however i didn’t mentioned one thing … cleaning input variables. In fact it is much more important to know how to clean $_POST and $_GET arrays then know how to handle query string, because variables sent by user are the only way to hack your script, it is that simple, if you take care of input variables then your script is 100% safe.

All idea of cleaning input variables is pretty simple and it comes down to “escaping” quotes and double quotes from variables sent by user and replacing potentially dangerous characters with their entities, and there are few ways to do it.

First we need to set proper directives in php.ini file, that is:

magic_quotes_gpc = Off
magic_quotes_runtime = Off

I set both to off so PHP by default won’t clean GPC (GET, POST, COOKIE) variables for me. At first it may look like a bad idea to switch off magic_quotes but it is not, you know the old saying: if you want something to be done right, then do it yourself … well maybe i exaggerated it a little bit, but you get the idea.

There are two kinds of variable cleaning: for database and for output. The good practice is to allow client to write in databse whatever he wants even potentially dangerous html code, however we do not want to diplay this code in a way that will make it easy for newbie hacker to hack our site.

The good example of this is: forum, where people are allowed to write whatever they want, so for example they can write a javascript script, which can steal people personal information from cookies and send them to some other website where the thief collects this data, really, it all can be done with javascript, so we need a way to avoid this.

Cleaning Input Variables For Database

Let’s assume that someone sends text by POST, first we want to clean variable for database. If you use procedural mysql then this can be easily done with:

// $_POST['data'] = "quote's";
echo $_POST['data'];
$cleanedForDb = mysql_real_escape_string($_POST['data']);
echo $cleanedForDb;

outputs:

quote's
quote\'s

$cleanedForDb variable can be now safely inserted into any sql query because all quotes are escaped, on the other hand if you try to insert $_POST['data'] variable into any query, then in the best case you will get only an error.

Keep in mind that if you escape data before inserting it into database then you must unescape it when you want to get it out of database, a lot more effort then before, but security is worth it.

Cleaning Input Variable For Output

We want to display on screen data send by user, remembering it can contain dangerous code it is the best to clean this data with htmlentities:

$clean = htmlentities($_POST['data'], ENT_QUOTES, 'UTF-8');

first htmlentities argument here is text, second constant ENT_QUOTES, which means that both single and double quotes will be converted to their entities and third is charset, i used UTF-8 you can use whatever charset you use, anyway second and third arguments are optional, but it is good to add them anyway.

But it usually happens that we want to secure whole $_POST data and htmlentities allows only to secure single variable, so as programmers we need to write our own function:

function confHtmlEnt($data)
{
    return htmlentities($data, ENT_QUOTES, 'UTF-8');
}
 
$cleanPost = array_map('confHtmlEnt', $_POST);

There, whole POST array is clean, and the cool part is we can in the same manner clean $_GET, $_COOKIE or any other array.

Remember when i said we need to unescape, slashes when getting data out of database? Here is how to do it:

// $row['column_1'] = "quote\'s";
echo $row['column_1'];
$escaped = stripslashes($row['column_1']);
echo $escaped;

output:

quote\'s
quote's

or if we want to escape whole array:

$escaped = array_map('stripslashes', $row);

Hmmm, i thought it will be pretty short post but it became quite long, fortunately this is all you need to know to make your scripts 99% safer then before.