04-24-2012, 05:41 PM
I am trying to learn security for php and right now I am just working on input from forms and outputing that data.
I was going to use mysql_escape stuff but in my research it looks like bound parameters may be better? Is that correct?
I've been reading a lot of sites on this and they are pretty confusing so I want to make sure I am heading in the right direction.
04-24-2012, 11:31 PM
If you have it, use mysqli or pdo and use bound parameters without any additional escaping (including magic_quotes so strip them off). The structure of the query is pre-compiled so you cannot introduce an injection into a prepared statement.
04-25-2012, 12:35 AM
The best way to secure data is to validate it. When you first read in the data you should check that the information in the field makes sense for what the field should contain. If it is supposed to be a number then test with is_numeric(), if it is supposed to be an email address then use the email validation filter - http://au.php.net/manual/en/filter.filters.validate.php - and if there is no function or filter available to validate the field for what it is allowed to contain then write your own validation routine (probably using regular expressions).
Doing that will mean that you will not be processing garbage regardless of how harmless the garbage might be.
If your data is always validated then the only remaining risk is where the data can validly contain something that looks like code. That's where escaping comes in. While it is possible to keep the data completely separate from the code for SQL queries by using prepare/bind with mysqli or PDO and therefore make it impossible for the data and code to be confused, the same is NOT possible if you are outputting data in HTML. The only option in those situations is to escape the data immediately before outputting it - for HTML use htmlspecialchars() to convert the values in the data that can be confused with HTML tags into their HTML entity codes.
When you read data back in from the database you should sanitize it (similar to validation but doesn't produce error messages, just strips out anything invalid) just in case someone has tampered with the stored data so that it is no longer valid (eg. you might have made a typo when manually updating the database).
A good book on PHP security is "Essential PHP Security", an O'Reilly book written by Chris Shifflett - http://shop.oreilly.com/product/9780596006563.do
04-25-2012, 08:25 PM
Thanks for the info! I have already ordered the book and wanted to get started while I was waiting for it.
So in a nut shell what I need to do is
1. Validate or sanitize any data received before sending to the DB
2. Use prepared or bound statements to insert/update and query
3. Then sanitize all DB data that is to be displayed on the web page by using htmlspecialchars()
I may have over simplied it but things work out easier for me if I start with the extreme basics and build up :thumbsup:
felgall - I will be using your site for reference - thanks!
04-25-2012, 09:33 PM
3. Maybe. Depends if the data is supposed to be text or html. Escape it if its text like on a forum here, leave it intact if its a template.
Don't forget to stripslashes if you have magic_quotes_gpc on. This is vital if you bind, otherwise it will show with the escapes.