Sanitize User Input via PHP

StackOverflow https://stackoverflow.com/questions/20527847

  •  31-08-2022
  •  | 
  •  

Question

I know this is a never ending battle, and everyone has different methods and opinions... I need a new method of cleaning/sanitizing the user input in PHP. I've had some random files appear in one of my website directories... I'm not sure if it's due to stolen passwords or what, but clearly my method is not working anymore!!!! I'm sorry that this is probably a duplicate, but I'm tired of my server having vulnerabilities!!!

I currently use this:

function clean($value) {
if (is_array($value)) {
    foreach($value as $k => $v) {
        $value[$k] = clean($v);
    } }
else {
        if(get_magic_quotes_gpc() == 1) {
            $value = stripslashes($value);
        }
        $value = trim(htmlspecialchars($value, ENT_QUOTES, "utf-8"));
        $value = mres($value);
}   
    return $value;
}

Then I usually include this at the top of each file:

$POST = clean($_POST);
$GET = clean($_GET);

Please help before flagging me because I can't get blacklisted for spam again!

Was it helpful?

Solution

This function you just posted has nothing with "random files appearing" in your directories. these are for string sanitizations and you aren't sanitizing integers either. If you use this function to sanitize your database inputs then you must validate the data you're entering first so it matches your needs, so if you expect an integer, you make sure its an integer and not just add slashes to it to stop the quotes in strings, if you expect a string you make sure it's a string. If you plan on displaying any data inputted by the user then you must protect against XSS. If your server has vulnerabilities then the problem is not with your website but with the software installed on the server itself. as for the randomly appearing files, the only way I can think of is if you allowed some users to upload pictures or files without making sure what their extension is and therefore allowing people to upload PHP files or HTML codes. Finally, I'd just like to clear that NO ONE can give you a sanitization function that will match your needs, you need to make one for your exact needs because no one but you knows what type of data you're expecting.

This is a general rule in protecting your website against any user input whether it was a file uploaded or a user being registered

  1. Validate the data and make sure it's the type of data you're expecting.
  2. Sanitize that data so that it cannot contain any malicious codes that may compromise your website.
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top