PHP -Should I sanitize the String when magic qotes are turned off?

Question

This is my first post at stackoverflow. I need to ask few simple :D questions related to PHP sanitizing inputs and really grateful for anyone who could assist me :)

1)Ok, well when I run get_magic_quotes_gpc() it returns false. Which means magic quotes are turned off. is this correct?

2) Should I sanitize any user entered string using stripslashes(),htmlentities() & strip_tags() when magic quotes are turned off?

3) Even though magic quotes are turned off when I enter characters such as \ or some other character my program has no ability to avoid them. Why is that?

4) Then I modified my program to call a function to clean the string before it is processed. Even though the string is cleaned it still shows those unwanted characters. is there anything wrong in sanitizeString() function

Below is my code, related to question 3) (The program is supposed to convert Fahrenheit into Celsius or vice versa )

<!DOCTYPE html>
<html>
    <head>

    </head>

    <body>

        <form action="TemperatureConverter.php" method="post">
            <label>Fahrenheit</label><input type="text" name="f" size="10"/><br>
            <label>Celsius</label><input type="text" name="c" size="10"/><br>
            <input type="submit" name="submit" value="SUBMIT">

        </form>


    </body>


</html>




<?php
$f='';
$c='';

if(isset($_POST["f"])){
    $f= sanitizeString($_POST["f"]);
}
if(isset($_POST["c"])){
    $c=sanitizeString($_POST["c"]);
}

if($f!=""){
    $c=(5/9)*($f-32);
    echo $f.' Fahrenhite is equal to '.$c.' Celsius ';
}
else if($c!=""){
    $f=$c*(9/5)+32;
    echo $c.' Celsius is equal to '.$f.' Fahrenhite ';
}

function sanitizeString($str){
    $str=  stripslashes($str);
    $str=  htmlentities($str);
    $str=  strip_tags($str);
    return $str;
}

I guess I have posted my code properly which adheres to rules of stackoverflow. If not sorry. :(

Answer 1

In your example as you know the input to be a number, it would be best to simply check for that, rather than attempting to add additional filtering.

for example,

if(isset($_POST["f"])){
    $inFahrenhite = trim($_POST['f']); // remove any leading/trailing spaces
    if (is_numeric($inFahrenhite)) $f = $_POST['f'];
}

The above code validates that the input is numeric. Since you are expecting a number anything else is invalid and can be ignored.

Other questions.

1. Yes, it means the settings is turned off.
2. All filters are not required. There is no need to allow html values if the input should be a number. Using http://www.php.net/manual/en/book.filter.php would be a start.
3. Magic Quotes only escapes certain characters. The settings is to be deprecated, so you should avoid using it.
4. These functions only work to ensure that the characters are escaped properly. For example, an & would get converted to &. There is still an & there, but it now has a different purpose.

Answer 2

There're endless poorly written outdated PHP tutorials out there that basically suggest that sanitization is a magic process that automatically fixes your data to avoid any potential vulnerability. Many developers accept that as a fact and apply the recommended functions without even looking up in the documentation to find out what they really do. As a result, they not only write vulnerable applications but they corrupt legitimate user data in the process.

My advice:

1. Read the docs for any function you use for the first time
2. Understand what problem you need to solve
3. Think whether the function does something to solve that problem

For instance:

strip_tags — Strip HTML and PHP tags from a string

Example #1 strip_tags() example

<?php
$text = '<p>Test paragraph.</p><!-- Comment --> <a href="#fragment">Other text</a>';
echo strip_tags($text);
echo "\n";

// Allow <p> and <a>
echo strip_tags($text, '<p><a>');
?>

You have a temperature conversion tool. Does it make the sense to remove HTML tags from Fahrenheit degrees?

But imagine you have a site to post HTML snippets. Now you have HTML, it make sense to use HTML functions on it, doesn't it? But, why would you want to remove HTML from a HTML snippet? You'd make your site useless! The problem you need to solve is to inject those snippets into the site and get them displayed as raw HTML rather than getting rendered. To do so you need to e.g. convert every < symbol into <.