The ultimate clean/secure function

by

The idea of a generic sanitation function is a broken concept.

There is one right sanitation method for every purpose. Running them all indiscriminately on a string will often break it – escaping a piece of HTML code for a SQL query will break it for use in a web page, and vice versa. Sanitation should be applied right before using the data:

  • before running a database query. The right sanitation method depends on the library you use; they are listed in How can I prevent SQL injection in PHP?

  • htmlspecialchars() for safe HTML output

  • preg_quote() for use in a regular expression

  • escapeshellarg() / escapeshellcmd() for use in an external command

  • etc. etc.

Using a “one size fits all” sanitation function is like using five kinds of highly toxic insecticide on a plant that can by definition only contain one kind of bug – only to find out that your plants are infested by a sixth kind, on which none of the insecticides work.

Always use that one right method, ideally straight before passing the data to the function. Never mix methods unless you need to.

More Related Contents:

  1. How can I sanitize user input with PHP?
  2. Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
  3. xss attack on a php page
  4. How can I prevent SQL injection in PHP?
  5. SQL injection that gets around mysql_real_escape_string()
  6. Are PDO prepared statements sufficient to prevent SQL injection?
  7. Is “mysqli_real_escape_string” enough to avoid SQL injection or other SQL attacks?
  8. Reference: What is a perfect code sample using the MySQL extension? [closed]
  9. What are the best practices for avoiding xss attacks in a PHP site [closed]
  10. When should I use prepared statements?
  11. Examples of SQL Injections through addslashes()?
  12. SQL injections in ADOdb and general website security
  13. Best way to defend against mysql injection and cross site scripting
  14. Why is using a mysql prepared statement more secure than using the common escape functions?
  15. how safe are PDO prepared statements
  16. CodeIgniter – why use xss_clean
  17. How do you set up use HttpOnly cookies in PHP
  18. Is htmlspecialchars enough to prevent an SQL injection on a variable enclosed in single quotes?
  19. What does mysql_real_escape_string() do that addslashes() doesn’t?
  20. PHP_SELF and XSS
  21. Full Secure Image Upload Script
  22. What does it mean to escape a string?
  23. PHP $_SERVER[‘HTTP_HOST’] vs. $_SERVER[‘SERVER_NAME’], am I understanding the man pages correctly?
  24. Are mysql_real_escape_string() and mysql_escape_string() sufficient for app security?
  25. How can I relax PHP’s open_basedir restriction?
  26. How to run PHP exec() as root?
  27. Hiding true database object ID in url’s
  28. Codeigniter CSRF – how does it work
  29. Set httpOnly and secure on PHPSESSID cookie in PHP
  30. Json: PHP to JavaScript safe or not?

Leave a Comment