Jun
13
2011

Simplified Data Sanitizing

Ever feel as though your copy-paste buttons are going to wear out because your form has 36 fields, and ALL that data has to be scrubbed clean and fully sanitized prior to database entry?  I feel your pain.  Actually, to be fair- I’ve felt your pain, but not anymore!

Why do we need to sanitize and clean user input?  Because we can’t trust all users!

Thanks to PHP’s handy ability to reference user created functions, it doesn’t have to suck for you.

Back in the day, before I discovered the magic of PHP functions, here’s how my form data collection looked:

$input_one = mysql_real_escape_string( $_POST['input_one'] );
$input_two = mysql_real_escape_string( $_POST['input_two'] );

And so on, and on, and on, and on X (at one point 40ish inputs).  Also note that the example above should be avoided for a couple reasons.

  1. Unnecessary repetition of code
  2. Incomplete security for various MySQL vulnerabilities
  3. Failure to prevent XSS injections

HOWEVER, we can easily screen ALL of our data using just one simple call to the “clean_data()” function below.  If you aren’t familiar with PHP function usage, don’t start to sweat just yet!  If all of the pages on your website happen to reference a database connection file or script, you can simply add the entire bit below, and the function will scrub your data regardless of which page you call it from.

If you have only a single form that needs to be sanitized, just be sure to add the clean_data function to the top of your PHP (below your database connection details, and above your MySQL insertion scripts).

function clean_data( $input )
{
    $input = trim( htmlentities( strip_tags( $input,"," ) ) );

    if( get_magic_quotes_gpc() )
        $input = stripslashes( $input );

    $input = mysql_real_escape_string( $input );
    return $input;
}

Sanitizing your data is as simple as calling:

$yourinputtodatabase = clean_data( $_POST['yourformfieldhere'] );

This will take a potentially only very annoying user input which would have the potential of removing one of your database tables while providing you a very aggravating javascript alert box and turn it into a still irritating form input, but alas- one that will leave your data intact, and your browser un-annoyed.

For Example:

(‘DROP TABLE * ‘) <script>alert(‘GOTCHA’);</script> (Pre sanitizing)

Becomes:

(\’DROP TABLE * \’) alert(\’GOTCHA\’); (Post sanitizing)

I’d also recommend checking out PHP’s handy “filter” functions here if you’re interested.  They’re capable of both data validation and data sanitizing.

4 Comments + Add Comment

  • get_magic_quotes_gpc is not required with the latest php version

    • Totally true, and hasn’t been in play for quite some time, but as long as it doesn’t break anything I usually leave it there to provide backward compatibility for users who haven’t, or can’t upgraded (in a longggggg time)

  • When I put your example i.e. (‘DROP TABLE * ‘) alert(‘GOTCHA’); in my form and calling clean_data function nothing really happens. I only updated the function, replacing mysql_real_escape_string with mysqli_real_escape_string. Any ideas?

    • The mysqli_ functions require an explicit connection as the first parameter, aka:

      $data = mysqli_real_escape_string( $database, $data );

      Check out http://us3.php.net/mysqli_real_escape_string for examples

Leave a comment