I know I need to use them on user input fields such as a username entry field, but what about for radio buttons such as a gender option?
Asked
Active
Viewed 2,612 times
0
-
How do you process such data types? – Gumbo Apr 11 '11 at 20:08
-
The idea behind using it is so you can exclude the user from being able to inject bad data into your database so every field that the user can possible change within the subit is more then reuiqred to be escaped while internal fields that are mostly setted by you and have no interaction from the user won't need to but doesnt hurt to be escaped too because it can prevent yourself to inserting bad data like if u add a bad scaping somewhere or any other character that can break it. – Prix Apr 11 '11 at 20:16
-
And what do you do with that `$_POST['value']`? – Gumbo Apr 11 '11 at 20:20
-
my code looks like this $username=mysql_real_escape_string($_POST['username']); and then I do mysql_query("INSERT INTO accounts (username) etc... – Basic Apr 11 '11 at 20:26
8 Answers
5
Stop!
You seem to be confusing escaping with data validation and data sanitization.
You need to validate any data that comes in. Yes, this means making sure that radio buttons contain legal values.
You need to sanitize any data that comes in. Should that text field contain HTML? No? strip_tags. Should that field be a number? Cast it as an integer.
You need to escape any data that you place in the database. If you're still using the prehistoric "mysql" extension, this means using mysql_real_escape_string on everything as you build your query -- not before.
You need to escape any data you echo to the user. htmlspecialchars is your friend.
I've previously explained this in more detail, though this is not a duplicate question.
2
ALL fields that are sent from a form to a server should be checked for valid inputs. All fields can be manipulated in such a way to do sql or other injection.
Patrick Evans
- 38,456
- 6
- 62
- 84
2
A pop quiz:
Given a small HTML form snippet:
<input type="hidden" name="studentID" value="42" />
<input type="radio" name="gender" value="Robert'; DROP TABLE Students" />
and your server-side code:
$studentID = $_POST['studentID'];
$gender = $_POST['gender'];
$sql = "UPDATE Students SET gender='$gender' WHERE studentID=$studentID";
$res = mysql_query($sql);
How many ways is this code wrong?
@Basic, at mininum, here's the 'big' errors:
- failure to confirm that the student ID is an integer.
- Failing to confirm that the studentID actually is valid and exists in the DB.
- inserting the studentID directly into the query, potentially allowing a direct SQL injection attack.
- Round-tripping a critical value (studentID) through a client-side form, allowing the user to hack the form and change the gender of any student.
- Failure to validate the gender value, allowing arbitrary data into the database (e.g. little Bobby Tables is now of gender 'n/a')
- inserting the gender value directly into the query string, leading to a direct SQL injection attack (in this case, the Students table gets deleted).
- Failure to check the return value from mysql_query(). Queries can be syntactically perfect, yet still fail for other reasons. Never forget to check a query call's status after it completes.
Not so big a deal when only the gender of a student is at issue. Maybe a form letter goes out about "Ms. Robert" and "her" latest detention.
Very big deal if it's an online banking site and the SQL injection just transferred your chequeing account's balance to some offshore account in the Cayman Islands.
Marc B
- 340,537
- 37
- 382
- 468
-
I see seven, though two of those depend on if you're oldschool XHTML or newschool HTML5 (or newoldschool HTML5-as-XML). How'd I do? – Charles Apr 11 '11 at 20:16
-
-
I have no idea but please tell me because that is how my code looks except a real_escape on it! – Basic Apr 11 '11 at 20:19
-
1
There are many ways (for the user) to change the submitted data, so - yes you need to use it for radio button.
For example you can change a radio button into an input type text and easily modify the value.
Teneff
- 23,912
- 8
- 52
- 85
1
Yes you need it. Users can change form inputs as they prefer. Firebug does miracles.
-
firebug is an extension for firefox browser. it's a must have tool for any web developer. it has javascript debuger, console, html editor and profiler. – Headshota Apr 11 '11 at 20:12
-
-
1@Basic, http://www.getfirebug.com/ -- though if you use Safari or Chrome, the built-in developer tools do the same thing. – Charles Apr 11 '11 at 20:17
1
Well, you should do that to all strings that you pass to mysql, not necessarily network input ;-)
Michael Krelin - hacker
- 122,635
- 21
- 184
- 169
0
Yes. Actually, you should also be checking the value of radio buttons/lists to make sure that the value is a valid one. See in_array(). Here's an example (isset check omitted for clarity):
$validValues = array('gold', 'silver', 'bronze');
$value = $_POST['value'];
if (in_array($value, $validValues)) {
// request is valid
} else {
// request is invalid
}
The only time you shouldn't use mysql_real_escape_string(), and that's on values that you expect to be integers. But you must handle them carefully. Read this article:
http://www.webappsec.org/projects/articles/091007.shtml
That article covers situations in which you wouldn't expect SQL injection, including how to handle integers.
Jonah
- 9,535
- 5
- 39
- 74
0
A nice way that you could secure your inputs from $_POST is by running array_map() this is much quicker than a manual foreach().
$formData = array_map('mysql_real_escape_string', $_POST);
You can even encapsulate the process of this by making a getPost() function.
function getPost($key) {
return array_key_exists($key, $_POST)
? mysql_real_escape_string($_POST[$key])
: null);
}
Hope this helps.
Paul Dragoonis
- 2,245
- 1
- 14
- 22