Comments on: Clean input variable PHP http://ditio.net/2008/06/29/clean-input-variable-php/ Practical guide to WordPress development, blogging and programming Sun, 11 Dec 2011 21:19:45 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: Viper-7 http://ditio.net/2008/06/29/clean-input-variable-php/comment-page-1/#comment-181530 Viper-7 Fri, 09 Sep 2011 07:22:10 +0000 http://ditio.net/?p=26#comment-181530 "Keep in mind that if you escape data before inserting it into database then you must unescape it when you want to get it out of database, a lot more effort then before, but security is worth it." "Remember when i said we need to unescape, slashes when getting data out of database? Here is how to do it:" Sorry, but both of those are quite wrong :< Escaping data is for the *TRANSPORT* between PHP, and your database - once your database has received that data, it will store it without the escaping slashes. When you SELECT it back out, the slashes won't be there. If you're seeing extra slashes in your data, it means you're escaping TWICE, which is not a good idea, and can actually open some rather nasty security HOLES. What you're seeing is because Wordpress automatically escapes all inputs, just like magic_quotes_gpc does, and yes, it suffers from the same issues ( as detailed here http://php.net/magic_quotes ). If you're using stripslashes at all, you should be using it BEFORE you use your database specific escaping function, like mysql_real_escape_string(). This way mysql_real_escape_string() is fed the actual content you want to store in the database, and it'll work correctly. You shouldn't ever need stripslashes() when SELECT'ing data out from your database. “Keep in mind that if you escape data before inserting it into database then you must unescape it when you want to get it out of database, a lot more effort then before, but security is worth it.”

“Remember when i said we need to unescape, slashes when getting data out of database? Here is how to do it:”

Sorry, but both of those are quite wrong :<

Escaping data is for the *TRANSPORT* between PHP, and your database – once your database has received that data, it will store it without the escaping slashes. When you SELECT it back out, the slashes won't be there. If you're seeing extra slashes in your data, it means you're escaping TWICE, which is not a good idea, and can actually open some rather nasty security HOLES.

What you're seeing is because WordPress automatically escapes all inputs, just like magic_quotes_gpc does, and yes, it suffers from the same issues ( as detailed here http://php.net/magic_quotes ).

If you're using stripslashes at all, you should be using it BEFORE you use your database specific escaping function, like mysql_real_escape_string(). This way mysql_real_escape_string() is fed the actual content you want to store in the database, and it'll work correctly.

You shouldn't ever need stripslashes() when SELECT'ing data out from your database.

]]> By: SMS http://ditio.net/2008/06/29/clean-input-variable-php/comment-page-1/#comment-118650 SMS Wed, 27 Apr 2011 15:34:06 +0000 http://ditio.net/?p=26#comment-118650 I knew I needed to protect my form processor from the data submitted to it, but wasn't sure how to do it with PHP. This helps a bunch, thanks! I knew I needed to protect my form processor from the data submitted to it, but wasn’t sure how to do it with PHP. This helps a bunch, thanks!

]]> By: Karl http://ditio.net/2008/06/29/clean-input-variable-php/comment-page-1/#comment-116367 Karl Thu, 21 Apr 2011 08:13:38 +0000 http://ditio.net/?p=26#comment-116367 Hi Thanks been looking for a simple to understand and logical way to clean entries in to a database. This article was very helpful is there any other tips about cleaning code or making it more secure before it get to a database , currently have dreamweaver code with your code slotted in to try and stop attacks Any help would be much appreciated. Code: if (!function_exists("GetSQLValueString")) { function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") { $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue; $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue); $theValue = htmlentities($theValue, ENT_QUOTES, 'UTF-8'); trim($theValue); switch ($theType) { case "text": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "long": case "int": $theValue = ($theValue != "") ? intval($theValue) : "NULL"; break; case "double": $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL"; break; case "date": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "defined": $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue; break; } return $theValue;}} Hi Thanks been looking for a simple to understand and logical way to clean entries in to a database.
This article was very helpful is there any other tips about cleaning code or making it more secure before it get to a database , currently have dreamweaver code with your code slotted in to try and stop attacks
Any help would be much appreciated.
Code:
if (!function_exists(“GetSQLValueString”)) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = “”, $theNotDefinedValue = “”)
{
$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

$theValue = function_exists(“mysql_real_escape_string”) ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
$theValue = htmlentities($theValue, ENT_QUOTES, ‘UTF-8′);
trim($theValue);
switch ($theType) {
case “text”:
$theValue = ($theValue != “”) ? “‘” . $theValue . “‘” : “NULL”;
break; case “long”:
case “int”:
$theValue = ($theValue != “”) ? intval($theValue) : “NULL”;
break; case “double”:
$theValue = ($theValue != “”) ? “‘” . doubleval($theValue) . “‘” : “NULL”;
break; case “date”:
$theValue = ($theValue != “”) ? “‘” . $theValue . “‘” : “NULL”;
break; case “defined”:
$theValue = ($theValue != “”) ? $theDefinedValue : $theNotDefinedValue;
break; } return $theValue;}}

]]> By: jenifer http://ditio.net/2008/06/29/clean-input-variable-php/comment-page-1/#comment-92251 jenifer Fri, 11 Feb 2011 16:18:06 +0000 http://ditio.net/?p=26#comment-92251 Nice read. I found your blog on bing and i have your page bookmarked on my favorite read list! I’m a fan of your blog. Keep up the good work Nice read. I found your blog on bing and i have your page bookmarked on my favorite read list!
I’m a fan of your blog. Keep up the good work

]]> By: Plr Store http://ditio.net/2008/06/29/clean-input-variable-php/comment-page-1/#comment-77476 Plr Store Thu, 16 Dec 2010 14:25:14 +0000 http://ditio.net/?p=26#comment-77476 Thanks, Charlie, your script is superb, I also added a stripslases and strip_tags in there for good measure Thanks, Charlie, your script is superb, I also added a stripslases and strip_tags in there for good measure

]]> By: Wilfred Sikel http://ditio.net/2008/06/29/clean-input-variable-php/comment-page-1/#comment-38024 Wilfred Sikel Wed, 14 Apr 2010 08:01:13 +0000 http://ditio.net/?p=26#comment-38024 Superb Post. Niftier then the simillar post I checked 2 days ago on Wordpress. Maintain the good work. Superb Post. Niftier then the simillar post I checked 2 days ago on WordPress. Maintain the good work.

]]> By: Matt http://ditio.net/2008/06/29/clean-input-variable-php/comment-page-1/#comment-32552 Matt Sun, 14 Feb 2010 07:01:53 +0000 http://ditio.net/?p=26#comment-32552 This is nice, however you're missing one important aspect... GET and POST arrays can have arrays as values, so this will fail to clean them (and may infact throw a PHP error as well). Recursive functions come in handy here... function __stripslashes($var) { $var = is_array($var) ? array_map('__stripslashes', $var) : stripslashes($var); return $var; } function __htmlspecialchars($var, $style) { $var = is_array($var) ? array_map('__htmlspecialchars', $var, array_fill(0, count($var), $style)) : htmlspecialchars($var, $style); return $var; } $_GET = __stripslashes($_GET); $_GET = __htmlspecialchars($_GET, ENT_QUOTES); This is nice, however you’re missing one important aspect… GET and POST arrays can have arrays as values, so this will fail to clean them (and may infact throw a PHP error as well).

Recursive functions come in handy here…
function __stripslashes($var)
{
$var = is_array($var) ? array_map(‘__stripslashes’, $var) : stripslashes($var);

return $var;
}
function __htmlspecialchars($var, $style)
{
$var = is_array($var) ? array_map(‘__htmlspecialchars’, $var, array_fill(0, count($var), $style)) : htmlspecialchars($var, $style);

return $var;
}
$_GET = __stripslashes($_GET);
$_GET = __htmlspecialchars($_GET, ENT_QUOTES);

]]> By: dave http://ditio.net/2008/06/29/clean-input-variable-php/comment-page-1/#comment-30663 dave Sat, 02 Jan 2010 21:32:32 +0000 http://ditio.net/?p=26#comment-30663 Jolly Joker. it does work. Thank you Charles. Jolly Joker. it does work. Thank you Charles.

]]> By: jolly joker http://ditio.net/2008/06/29/clean-input-variable-php/comment-page-1/#comment-30356 jolly joker Sat, 26 Dec 2009 02:52:41 +0000 http://ditio.net/?p=26#comment-30356 charlies solution is known to work, it never fails. charlies solution is known to work, it never fails.

]]> By: Charlie http://ditio.net/2008/06/29/clean-input-variable-php/comment-page-1/#comment-26113 Charlie Thu, 17 Sep 2009 16:39:02 +0000 http://ditio.net/?p=26#comment-26113 edit: the function is missing a "return $data;" line at the end. edit: the function is missing a “return $data;” line at the end.

]]>