The best answers to the question “How can I sanitize user input with PHP?” in the category Dev.
Is there a catchall function somewhere that works well for sanitizing user input for SQL injection and XSS attacks, while still allowing certain types of HTML tags?
Do not try to prevent SQL injection by sanitizing input data.
Instead, do not allow data to be used in creating your SQL code. Use Prepared Statements (i.e. using parameters in a template query) that uses bound variables. It is the only way to be guaranteed against SQL injection.
Please see my website http://bobby-tables.com/ for more about preventing SQL injection.
It’s a common misconception that user input can be filtered. PHP even has a (now deprecated) “feature”, called magic-quotes, that builds on this idea. It’s nonsense. Forget about filtering (or cleaning, or whatever people call it).
What you should do, to avoid problems, is quite simple: whenever you embed a a piece of data within a foreign code, you must treat it according to the formatting rules of that code. But you must understand that such rules could be too complicated to try to follow them all manually. For example, in SQL, rules for strings, numbers and identifiers are all different. For your convenience, in most cases there is a dedicated tool for such an embedding. For example, when you need to use a PHP variable in the SQL query, you have to use a prepared statement, that will take care of all the proper formatting/treatment.
Another example is HTML: If you embed strings within HTML markup, you must escape it with
htmlspecialchars. This means that every single
A third example could be shell commands: If you are going to embed strings (such as arguments) to external commands, and call them with
exec, then you must use
Also, a very compelling example is JSON. The rules are so numerous and complicated that you would never be able to follow them all manually. That’s why you should never ever create a JSON string manually, but always use a dedicated function,
json_encode() that will correctly format every bit of data.
And so on and so forth …
The only case where you need to actively filter data, is if you’re accepting preformatted input. For example, if you let your users post HTML markup, that you plan to display on the site. However, you should be wise to avoid this at all cost, since no matter how well you filter it, it will always be a potential security hole.
PHP has the new nice
filter_input functions now, that for instance liberate you from finding ‘the ultimate e-mail regex’ now that there is a built-in
* Pork Formvalidator. validates fields by regexes and can sanitize them. Uses PHP filter_var built-in functions and extra regexes
* @package pork
Of course, keep in mind that you need to do your sql query escaping too depending on what type of db your are using (mysql_real_escape_string() is useless for an sql server for instance). You probably want to handle this automatically at your appropriate application layer like an ORM. Also, as mentioned above: for outputting to html use the other php dedicated functions like htmlspecialchars 😉
For really allowing HTML input with like stripped classes and/or tags depend on one of the dedicated xss validation packages. DO NOT WRITE YOUR OWN REGEXES TO PARSE HTML!
No. You can’t generically filter data without any context of what it’s for. Sometimes you’d want to take a SQL query as input and sometimes you’d want to take HTML as input.
You need to filter input on a whitelist — ensure that the data matches some specification of what you expect. Then you need to escape it before you use it, depending on the context in which you are using it.
The process of escaping data for SQL – to prevent SQL injection – is very different from the process of escaping data for (X)HTML, to prevent XSS.