You should always clean your user input for safe use. This includes escaping strings correctly, stripping html and tags, preventing SQL injection, and other security issues. Anytime you use a $_POST, $_GET, or receiving any information that the user can modify, you must be sure that you properly escape it, and clean it in all cases.
Let's get into the details.
If someone were to type in ‘ or username like’%admin%’; into the login form, they would be logged in with an account that has the word admin in it. To fix this problem, after connecting to the MySQL server, you have to use
mysql_real_escape_string($uname);
Using this will escape all characters that need to be escaped to prevent tampering with the MySQL query.
Another problem for MySQL is % and _, which can be escaped using
addslashes($uname);
$var = “<b>bold</b>”;
htmlentities($uname);
This would output:
< b > bold < /b >
To change it back to a usable form, you use
html_entity_decode($var);
To strip the HTML tags from a string, and specify which strings you want to allow, you use
$var = “<a><b>link</a></b>”;
strip_tags($uname,'<a><b>');
The second argument is not needed, passing just the variable you want to clean will strip all tags from the string. This example would only allow <b> and <a> tags through. However, it is important to note that strip_tags() is not failsafe; that is, malformed tags can remove more or less than required.
To make sure that html does not render if it gets shown, you can use
htmlspecialchars($uname);
If you have a string that is escaped from using mysql_real_escape_string() or addslashes(), you can use stripslashes($uname) to remove all of the slashes.
Putting it all together into a function, something like:
Let's get into the details.
Clean All User Inputs
Anytime you use a $_POST, $_GET, or are receiving any information that the user can modify, you must be sure that you properly escape it, and clean it in all cases.Preventing SQL Injection
Let's take a login form as an example to query our database and check to see if they logged in correctly. You might use a query like
select `username`, `password` from `users` where `username` = $uname' and `pass` = '$pass';
If someone were to type in ‘ or username like’%admin%’; into the login form, they would be logged in with an account that has the word admin in it. To fix this problem, after connecting to the MySQL server, you have to use
mysql_real_escape_string($uname);
Using this will escape all characters that need to be escaped to prevent tampering with the MySQL query.
Another problem for MySQL is % and _, which can be escaped using
addslashes($uname);
HTML filtering
Sometimes you may want to clean certain html entities in strings. To do this, you use$var = “<b>bold</b>”;
htmlentities($uname);
This would output:
< b > bold < /b >
To change it back to a usable form, you use
html_entity_decode($var);
To strip the HTML tags from a string, and specify which strings you want to allow, you use
$var = “<a><b>link</a></b>”;
strip_tags($uname,'<a><b>');
The second argument is not needed, passing just the variable you want to clean will strip all tags from the string. This example would only allow <b> and <a> tags through. However, it is important to note that strip_tags() is not failsafe; that is, malformed tags can remove more or less than required.
To make sure that html does not render if it gets shown, you can use
htmlspecialchars($uname);
If you have a string that is escaped from using mysql_real_escape_string() or addslashes(), you can use stripslashes($uname) to remove all of the slashes.
Putting it all together into a function, something like:
function CleanStr($var) {
stripslashes($var);
htmlentities($var);
strip_tags($var);
return $var;
}
stripslashes($var);
htmlentities($var);
strip_tags($var);
return $var;
}
