I'm a bit confused about sanitizing user input for php mysql I'm writing a script where I need to email the input of a form and add the details to the mysql database. Do I need to declare the variables like this: $surname=stripslashes($_POST['surname']); // stop things like O\'Malley showing up in the email Then do the mail function then redeclare the variables like this before adding them to the database $surname=mysql_real_escape_string($surname); Will stripslashes sanitize the input by itself or do I need to do it as above?
Strip slashes doesn't sanitize data, it removes slashes which is in effect de-sanitizing the data. It seems like you're on the right track though. You'll probably want to use stripslashes to remove the slashes on all POST (or GET?) data, email it, and then use mysql_real_escape_string on the data before sending it to the database.
I am really interested in the subject of sanitizing user input also and I always spread the green for honest replies. Other than using: mysql_real_escape_string() striptags() What other steps for a "complete" solution?
It depends on where your data is going. If you're putting it into a database, mysql_real_escape_string() is a great solution, as it strips out a few extra characters than addslashes(). If the data is going into the database and then being displayed somewhere else, I just strip out <> and everything in between them. But, you can use htmlspecialchars() just as effectively. quotemeta() is also useful, but most of the time it won't be needed, as it strips out parenthetical marks, sqaure brackets, as well as \ + . * ^ $ and ?. You can also use addcslashes(), which works like addslashes() except you can define what characters to escape. The PHP.net page has good user contributed sample code on how to use it. Just think of what the data you want to get from the user contains, and build regular expressions to strip out everything but that bits you need. If it's a phone number, I'll take out everything but numbers and number separating characters (such as a dash, a space and the plus sign for country codes). I'm not sure if you're familiar with regular expressions, but they'll help you to filter data like this.
Escaping strings for use in SQL queries is just part of sanitizing user input. The actual process and what exactly you need sanitized and wiped out before entering your database depends on your situation - for example, if the text is going to be selected and shown on a web page to other users, you will also need to strip all HTML tags or make them all HTML entities. For only escaping, mysql_real_escape_string is the choice and a better one would be PDO or MySQLi's Prepare. Can't post link now, please just look at php.net.
Thanks. In my case the data is coming from user submitted forms and will not be published without review and editing if necessary. So mostly I want to protect the database from the entry while it is in the pending status. I am also concerned about sql injection attacks as I see some big name scripts get hit or have to do revisions on a somewhat regular basis. I guess nothing is 100%.
strip_tags: removes any HTML tags from a string preg_replace: removes unwanted characters from string mysql_real_escape_string: ensures that data is escaped properly to prevent SQL injection and SQL error preg_quote: makes a string safe to use in a preg_match regular expression escapeshellarg: makes a string safe to use when executing a command-line program htmlentities: outputs HTML tags as literal tags, rather than executing it as HTML code