Just want to say for all of my previous questions, thanks for helping me out with a few issues. Of course I'm a noob but learning is key.
I'm making a function that sanitizes the input before it gets submitted into the query to make sure it is secure. These are a few questions just from my last thread as well as some new questions. This question is directed to people who are really good with keeping inputs sanitized and secure.
This is how I do all of my queries.
$query = $dbh->prepare("SELECT * FROM table WHERE data = ?");
$query ->execute(array($data));
And in mainly "insert" queries or any other type of query I do it like this.
$query = $dbh->prepare("INSERT INTO table ( data ) VALUES ( :data )";
$query ->execute(array(':data'=>$data));
I usually use this method for queries that require inserting tons of data. My question is, does either way work? I don't have anything binded because I have this sanitization function that I made.
function sanitize($type, $input) {
if ($type == "email") { $input = filter_var($input, FILTER_SANITIZE_EMAIL); }
if ($type == "int") { $input = filter_var($input, FILTER_SANITIZE_NUMBER_INT); }
if ($type == "float") { $input = filter_var($input, FILTER_SANITIZE_NUMBER_FLOAT); }
if ($type == "string") {
$input = filter_var($input, FILTER_SANITIZE_STRING);
//$input = filter_var($input, FILTER_SANITIZE_ENCODED);
$input = filter_var($input, FILTER_SANITIZE_MAGIC_QUOTES);
$input = filter_var($input, FILTER_SANITIZE_SPECIAL_CHARS);
$input = filter_var($input, FILTER_SANITIZE_STRIPPED);
//$input = filter_var($input, FILTER_SANITIZE_URL);
}
return $input;
}
My question is, is this the best way of using this sanitization function? Is there a better way of going about this? Like I said, security is my biggest concern with making projects and I don't want to risk having anything bad happen so I'd rather optimize security before I move on with the projects I am making.
And my final question is, what is the best way of doing CSRF tokens? I tried a script from I believe OWASP but a few of my friends claimed it has a few vulnerabilities so I don't want to use it. Thanks again :)
My question is, is this the best way of using this sanitization function?
This is a good way to perform sanitization. All sanitization methods will improve over time.
Is there a better way of going about this?
If it is a web application that is providing you user input, you may want to guide the user on the UI with your expectations (e.g. (Enter apartment number, if applicable. Otherwise, leave it blank)).
JavaScript can be used to enforce certain behavior.
When the data arrives to your PHP script, beyond the sanitation process also analyze whether the data is between X and Y length. For example, if customer is entering age, check that the age is in a valid limit.
If it is a string, and you prefer not to have any offensive tags, use strip_tags to remove them. Perform encoding/decoding/escaping of certain characters - think of using mysqli_real_escape_string, htmlspecialchars.
Additionally, if there are multiple insert statements running in one shot, use stored routines. Use transactions, regardless of routines. Rollback unless all the transactions complete as you desire.
Instead of using select * from ..., select required columns. It is possible that certain results, where only 2-3 columns are needed, may speed up dramatically if there is a covering index.
If your app uses system, exec etc., utilizing escapeshellargs/escapeshellcmd will be useful.
When displaying information on UI, ensure that relevant fields are displayed with htmlspecialchars in order to reduce/eliminate the chances of XSS. Also think of using urlencode/json_encode as necessary.
Take a look at http://www.wikihow.com/Prevent-Cross-Site-Request-Forgery-%28CSRF%29-Attacks-in-PHP that showcases, with examples, ways to prevent CSRF attacks.
Comments to your questions are all nice thoughts you should consider, and importantly - you have taken a step in the right direction already - so good for you!