I coulda sworn we had another thread about this somewhere....
The rule of thumb when dealing with Users:
- Validate input.
- Escape output.
Validate Input
To achieve the former, follow three simple rules:
- Don't trust the User
- Don't trust the User
- Don't trust the User
There is a fourth rule (
Don't trust the User), but I left it off to avoid redundancy.
What do I mean by that? In a nutshell: $_POST['itemid'] is not an integer, $_POST['email'] is a phone number, $_GET['username'] probably contains malicious SQL code.
Joel Spolsky explores using Hungarian notation to make unsafe User input obvious (
http://www.joelonsoftware.com/articles/Wrong.html), but you can just as easily solve the problem by building good habits.
Never use superglobals in any of your code. Always clean them as soon as you get them:
-
$itemid = (int) $_POST['itemid'];
-
$email = validate_email($_POST['email']);
-
$username = mysqli_real_escape_string($_GET['username'], $conn);
-
-
/** UNSAFE */
-
$query = "SELECT ... WHERE `Username` = '{$_GET['username']}' ...";
-
-
/** SAFE */
-
$query = "SELECT ... WHERE `Username` = '{$username}' ...";
-
SQL injection is perhaps the most spectacular vulnerability that can be exploited when a programmer fails to validate input, but you might also encounter oddness when, for example, processing payment data, sending requests to web services and other processes that involve sending or storing User input.
Escape Output
Always escape anything that gets output by your application. The majority of the time (escaping content for the User's web browser), you can achieve this using the built-in htmlentities() function (
http://php.net/htmlentities).
Escaping output thwarts vile XSS attacks and prevents oddly-formatted User input from breaking your HTML.
Note that you won't always find yourself escaping data for HTML. When sending data to a web-service, be sure to XML-escape any tag values that you send (htmlentities() can handle this just fine).
If you are generating a CSV file, you need to escape commas, and so on.
Output escaping can also be used to improve the quality of your User experience. For example, when outputting a value that should be a phone number, run it through a function that formats it in (###) ###-#### format (watch out for international phone numbers!).