Author:Codex-m

Website: PHP Developer.org

Title: Best practices when sanitizing POST to prevent MySQL and XSS
attacks

Before you read and criticize further, there is no such thing as perfect
security. Every countermeasure has its flaws, the only way you can do it
to reduce the chances of successful attacks against your website by using
simple techniques such as input validation in PHP programming language.

Taking maximum importance and priority on the security aspects of web

development is a trademark of a professional programmer. This tutorial is
primarily written for beginners who needs basic education when it comes
to securing the web form inputs. One golden rule is to never trust user
inputs. Once your website is live on the Internet, your website is both
accessible by saints and devils.

So how you will start securing your web application? This tutorial
emphasis on POST method of form submission. The main objective is to
prevent cross side scripting attacks (XSS) and MySQL injection attacks.
There are a LOT of solutions out there on the Internet by just Googling
it out, but most of them can be complex to understand. So how can you
make it as simple as possible and compromising the strength of the
security level?

To simplify the illustration, see a sample secure PHP web form below:

<!--
google_ad_client = "pub-8259984129695446";
/* 160x90, created 4/10/11 */
google_ad_slot = "2189053493";
google_ad_width = 160;
google_ad_height = 90;
//-->

<html>
<head>
Best practices when using POST in PHP and in MySQL
</head>
<body>
<form action="<?php echo $_SERVER['PHP_SELF']; ?" method="post">
This tool will test sanitizing POST in PHP. Input XSS or MySQL injection
codes and you will see the output below. View the source code also.
<textarea name="postinput" rows="10" cols="50"></textarea>

<input type="submit" name="submit" value="Submit this form now">

</form>

<?php
//check if the form has been submitted
if (isset($_POST['postinput'])){

//connect to your MySQL database

//you should do this first before using mysql_real_escape_string function

include 'connect.php';
//This is the sanitizing function

function sanitize($data){

//remove spaces from the input

$data=trim($data);

//convert special characters to html entities

//most hacking inputs in XSS are HTML in nature, so converting them to
special characters so that they are not harmful

$data=htmlspecialchars($data);

//sanitize before using any MySQL database queries

//this will escape quotes in the input.

$data = mysql_real_escape_string($data);
return $data;
}

//Now to use the sanitizing function, simple use it to sanitize the POST.

$clean= sanitize($_POST['postinput']);

//output sample clean or safe code

echo $clean;
}

//ITS NOT YET COMPLETE!!!!.

//You need to validate the sanitized inputs here
//if it is a number, ensure it is in number
//If it is an integer, ensure it is an integer
//This is very important, if you do not do this, you system is still
vulnerable to attacks.

//Now do any database related queries here now that everything is CLEAN.
?>
</body>
</html>

If you are absolutely sure to be NOT accepting HTML tags or inputs in

your webform you can use strip_tags function. This will strip off the
entire HTML, use with caution. It is important you should turn off magic
quotes if you are planning to use the code above. Set magic_quotes_gpc =
Off in your php.ini.