Sanatise CSV content in PHP

Question

I've built a bulk user import engine for my web application and it's working perfectly. I'm now sitting here asking myself, is it secure? After all, the content of this file is being pumped into my database!

Not being the wisest security nerd around I need a little advice here.

• Users are not able to rename the file after it's uploaded.
• When the file is uploaded, its name is instantly changed.
• Files must be .csv and have a csv relative mimetype for the upload to work.
• The uploaded file is stored in a directory not accessible via the WWW and is deleted as soon as the import has completed, usually a few hundred milliseconds.
• I'm opening the file and removing blank lines during the import

What about the actual content of the file? How can I sanitize the file to ensure it doesn't contain any executable code? I looked at the PHP manual and saw that as of PHP 4.3.5 getcsv() is binary safe, but being totally honest, I'm not 100% sure as to what that means.

I'm currently thinking about converting the CSV content into an array and creating a function that escapes the array content. Any other suggestions or is the above completely safe?

Answer 1

You can try using array_walk() to run mysql_escape_string() or your database's equivalent to be doubly sure everything is kosher.

function escape_sql(&$item, $key)
{
  $item = mysql_escape_string($item);

}

array_walk($input_array, 'escape_sql');

If your array is multi-dimensional you can use array_walk_recursive(), which operates similarly.