Zend PHP 7 Certification – Security – Input Filtering

This post covers the Input Filtering section of the PHP Security chapter when studying for the Zend PHP 7 Certification.

Validating user input within any programming language is a fundamental security feature that prevents applications from being vulnerable to attacks such as SQL and remote code injection.

‘Invalid Encoding’ attacks can be caused by an attacker employing a non-standard character set e.g UTF-8 encoding that may be missed by filtering, but executed in the browser.

PHP has an in-built function called mb_check_encoding(). This functions checks if the specified byte stream is valid for the specified encoding. It is useful to prevent this attack by passing in the string as the first parameter and the encoding as the second parameter.

$isUTF8 = mb_check_encoding($string, 'UTF-8');

Note that to use this function, the Multibyte String extension must be enabled on your server.

In addition to handling input data, the filter_var() function will sanitise and validate data.

  • Sanitising will remove any illegal character from the data.
  • Validating will determine if the data is in proper form.

filter_var() takes two parameters: the first being the input value itself, and the second being the sanitising or validating filter constant. There are many constants that PHP provides, and a small list of the sanitising and validating filters can be seen below.

  • FILTER_SANITIZE_EMAIL
  • FILTER_SANITIZE_NUMBER_INT
  • FILTER_SANITIZE_STRING
  • FILTER_SANITIZE_URL
  • FILTER_SANITIZE_NUMBER_FLOAT
  • FILTER_VALIDATE_EMAIL
  • FILTER_VALIDATE_IP
  • FILTER_VALIDATE_MAC
  • FILTER_VALIDATE_URL
  • FILTER_VALIDATE_FLOAT

An example of string sanitising can be seen below:

<?php
$string = "<h1>Hello, World!</h1>";
$new_string = filter_var($string, FILTER_SANITIZE_STRING);
// $new_string is now "Hello, World!"

And examples of IP validation:

<?php
$ip = "127.0.0.1";
$valid_ip = filter_var($ip, FILTER_VALIDATE_IP);
// $valid_ip is TRUE
 
$ip = "127.0.1.1.1.1";
$valid_ip = filter_var($ip, FILTER_VALIDATE_IP);
// $valid_ip is FALSE

When dealing with databases, ensure that special characters are escaped in database queries to help prevent SQL injection.

The mysqli_real_escape_string() function escapes special characters in a string for use in an SQL statement, taking into account the current charset of the connection.

Note that the use of the regular mysql_real_escape_string() function has been removed as of PHP 7.0. Instead, use the MySQLi function above or the PDO_MySQL extension.

<?php
$mysqli = new mysqli("localhost", "my_user", "my_password", "world");

/* check connection */
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}

$mysqli->query("CREATE TEMPORARY TABLE myCity LIKE City");

$city = "'s Hertogenbosch";

/* this query will fail, cause we didn't escape $city */
if (!$mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
    printf("Error: %s\n", $mysqli->sqlstate);
}

$city = $mysqli->real_escape_string($city);

/* this query with escaped $city will work */
if ($mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
    printf("%d Row inserted.\n", $mysqli->affected_rows);
}

$mysqli->close();

View the other sections:

Note: This article is based on PHP version 7.0