...

View Full Version : Is this adequate form-field security?



Mechphisto
11-29-2010, 11:24 PM
Every form field on our site I have running through this function; is this adequate protection from SQL injection and spam-hijacking? Or am I missing something crucial?



function field_sanitize_basic($input) {
if (!is_array($input))
{
$input = array($input);
}

$gobbledegook_alphabet = array('passwd','password','Bcc','mime','Content-Type','','','','|','','','','','','','','','','','','','','', '','','','','','','','','', '','','','','','','','','','','','','','','','', '','','','','','','','','','','','','','','', '','','','','','','','','','','','','','', '','','','','','','','','','', '','','','');

foreach($input as $key => $valueold){

foreach($gobbledegook_alphabet as $value2) {
if (stristr($valueold, $value2) !== false) {
$valueold = $input[$key] = str_ireplace($value2, '*', $valueold);
$_SESSION['field_sanitize_basic_warning'] = '<p class="note_bold">Some potentially unsafe text in your submission was removed!</p>';
}
}

$valueold = htmlspecialchars($valueold);
$valueold = stripslashes($valueold);
$valueclean = $valueold;
$value = $input[$key] = $valueclean;
}
return $input[0];
}


(Oh, the whole doing the input and return as an array, is because I'm working on returning errors and the like -- ignore some oddness about that part. I'm just curious right now about the actual security/substitution stuff.)

Thanks for any feedback!
Liam

RyanB88
11-30-2010, 02:24 AM
Any reason you're not just using mysql_real_escape_string()?

http://php.net/manual/en/function.mysql-real-escape-string.php

Mechphisto
11-30-2010, 03:30 PM
Any reason you're not just using mysql_real_escape_string()?

http://php.net/manual/en/function.mysql-real-escape-string.php

Oops.
I messed up. This example is one for forms in which the results are sent via e-mail and are displayed on the Web page -- not for MySQL inserts, which is what I indicated when I said "SQL injection."

To be clear, EVERY form field goes through this process above, but what I didn't say was that EVERY form field that gets used in a SQL query ALSO goes through a mysql_real_escape_string() before inclusion in the query.

Sorry. Thanks!



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum