PHP Sanitisation on User Input

Fascination · 08-05-2007, 07:26 AM

Hi there.

I’ve just finished following sde’s tutorial on session authentication and have got it working successfully (after lowering the error reporting level to remove the issues where it gets upset about the undeclared ‘username’ and ‘password’).
However, I was wondering where exactly I would initiate some form of sanitisation to prevent users from injecting unwanted code into the fields (and of course prevent the resulting chaos afterwards).
My aim is to use LOWER for the username (as the username will always be characters only, lowercase) and to allow numeric, upper and lower case characters for the password. My issue is that Im not quite sure where I should be inserting the functions to verify the user input:

Code:

<? 
// Login & Session example by sde 
// auth.php 

// start session 
session_start();  

// convert username and password from _POST or _SESSION 
if($_POST){ 
  $_SESSION['username']=$_POST["username"]; 
  $_SESSION['password']=$_POST["password"];   
} 

// query for a user/pass match 
$result=mysql_query("select * from users  
  where username='" . $_SESSION['username'] . "' and password='" . $_SESSION['password'] . "'"); 

// retrieve number of rows resulted 
$num=mysql_num_rows($result);  

// print login form and exit if failed. 
if($num < 1){ 
  echo "You are not authenticated.  Please login.<br><br> 
   
  <form method=POST action=index.php> 
  username: <input type=text name=\"username\"> 
  password: <input type=password name=\"password\"> 
  <input type=submit> 
  </form>"; 
   
  exit; 
} 
?>

Any help you could provide on this would be greatly appreciated, thank you.

- Fasc

DJMaze · 08-05-2007, 07:41 AM

Always sanitize at first level (input).
This means that you must verify each $_POST, $_GET, $_COOKIE, $_SERVER and $_FILES entry first BEFORE you put them somewhere else.

Fascination · 08-05-2007, 08:02 AM

Quote:

Originally Posted by DJMaze

Always sanitize at first level (input).
This means that you must verify each $_POST, $_GET, $_COOKIE, $_SERVER and $_FILES entry first BEFORE you put them somewhere else.

So, would it be logical to code:

Code:

if($_POST){ 
  $_SESSION['username']=$_POST FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH["username"]; 
  $_SESSION['password']=$_POST FILTER_SANITIZE_STRING["password"];   
}

DJMaze · 08-05-2007, 10:42 AM

no:

PHP Code:


			
if (!empty($_POST['username']) && !empty($_POST['password']))

{

    // magic quotes suck hard

    $_SESSION['username'] = (get_magic_quotes_gpc() ? stripslashes($_POST['username']) : $_POST['username']);

    $_SESSION['password'] = (get_magic_quotes_gpc() ? stripslashes($_POST['password']) : $_POST['password']);

}

Then at the database level ("input" to database)

PHP Code:


			
$result=mysql_query("select * from users  

  where username='" . mysql_real_escape_string($_SESSION['username']) . "' and password='" . mysql_real_escape_string($_SESSION['password']) . "'");

Fascination · 08-05-2007, 01:39 PM

Sorry, I dont mean to be stupid but I am curious (and thank you so far for your help).

Why the need though to establish 'get_magic_quotes_gpc' - I thought that was on by default? Or is it simply needed to make use of the stripslashes afterwards?

DJMaze · 08-05-2007, 01:57 PM

Quote:

Originally Posted by Fascination

'get_magic_quotes_gpc' - I thought that was on by default?

That's the whole crap setting in PHP 4. It should be off

Fascination · 08-06-2007, 08:36 AM

Ah I see.

Although magic quotes will suffice for now, judging by your comment tag you dont think its ideal; what method do you think I should consider studying to improve upon it?

Many thanks for your help so far.