The server accepts data in which you can easily write any script or try to break through the protection on the server or database with quotes. I try to close all vulnerabilities as clean as possible, but there are two conditions:

  • Quotes and line breaks should be left. In this case, line breaks come from textarea, so that there will be a replacement \n on <br> .
  • When checking for empty field content - the field is only with characters, that is, quotation marks or dots should not pass the test and the answer will be "empty field".

At the beginning of the script, I have a function installed that clears the $ _POST array from too much, it looks like this:

 function quote_clear($data) { $data = str_replace("\n", '<br>', $data); $data = strip_tags($data, '<br>'); $data = htmlspecialchars($data, ENT_QUOTES); return $data; } function quote($var) { foreach ($var as $row) { if(is_array($row)) { foreach($row as $row2) { $row2 = quote_clear($row2); } } else { $row = quote_clear($row); } } return $var; }

But in the comments they said that the real data is usually transferred to the database, with all tags, quotes and anything else. I see a kind of benefit from this now, but I do not understand how protection works in this case.

That is, we remove my sweep function, and now anything can get into the database, and SQL injections are just waiting for the world to be captured. I have already read through the topics with ingenious tips "each variable has its own protection", and no example in addition.

The site is a form in which there is:

  • input (text) - for E-mail, mobile phone, customer name, links, and so on.
  • input (checkbox) - obviously just a choice of categories that the customer wants to include in the request.
  • textarea - comments for each category selected in the checkbox.

I believe that any of these inputs can be corrected on the client, which means that all should be given certain security measures. Initially, I thought that if you remove all the special characters, tags, and to film all that remains, it will be as safe as possible, and most importantly universally, but now I don’t understand what is safety at all.

Could you give me an example of data protection in my case? I am using mysqli.

Thank you for attention.

  • Typically, user input filtering is not considered good protection - there are no guarantees that you will not forget it and there are no guarantees that you will not need to filter something else at some point. As far as I know, filtering is best done in those places where you get arbitrary data, and you want to output it somewhere; and do not add to the system of invariants that somewhere some data is stored safely. For example, when writing to the database, use parameter substitution instead of manually “collecting” the request; when outputting to HTML, wrap all the data in htmlspecialchars . - yeputons
  • You have the wrong approach to protection, you should not filter the input, but the output, you need to screen the data in sql queries using mysqli or PDO, but in html, you should screen it just before the output (and not when you type it as you) or, preferably, to use a template engine - andreymal
  • @andreymal Okay, I realized that I was doing something wrong, but I did not understand why or how. I assumed that before transferring the data to the database I clean it from possible dangerous code, from quotes, PHP tags, etc. and after that I immediately enter the clean data into the database. At the output, I assumed you could decode ( htmlspecialchars_decode ) the html code that remained and that we did not lose anything important. (sort of like) - Telion
  • Look at this question: ru.stackoverflow.com/a/571274/203622 - Small
  • one
    @Telion again, if very briefly, the database should have dirty data, and it should only become clean immediately before outputting to the html code .. That is, if I write the comment <script>alert(1);</script>"; drop table questions; -- - then it should be stored in the database and nothing should be cut out. As you can see, the stackoverflow saved my comment and did not cut anything in it, but at the same time, no code written by me failed :) To this and need to strive. - andreymal

0