Geek Answers Handbook

Sanitize contact form without mysql_real_escape_string

I usually use this function to sanitize the form input before storing it in my database:

//Function to sanitize values received from the form. Prevents SQL injection function clean($str) { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str); }

Until today, I did not realize that mysql_real_escape_string requires a database connection, since I only used it when I cleared the data before storing it in the database.

I tried to use the function in the contact form and received the error "Communication with the server could not be established." I could connect to the database, but not necessary, because I'm just trying to misinform the data before sending it to my email address through the contact form.

What is the best way to sanitize data that is not stored in the mysql database, and that data still needs to be sanitized?

+7
security php forms sanitize contact-form
source share
4 answers

use filter_var()

http://php.net/manual/en/function.filter-var.php

for example, if you want to clear email:

 $_POST['email'] = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);

to message

 $_POST['message'] = filter_var($_POST['message'], FILTER_SANITIZE_STRING);

is enogth

+15
source share

The purpose of disinfecting data with mysql_real_escape_string is to eliminate SQL injection. If you are not using SQL, you are already protected.

Men do not get cervical cancer.

Use the sanitization function that matches the special characters to be avoided. Ideally, do not remove something that does no harm.

+1
source share

The whole concept is wrong. This feature does not help not for email, even for the database.

mysql_real_escape_string does not "sanitize" anything. These are just escape separators and nothing more. Just to prevent syntax errors if you have a separator in your data:

 SELECT * FROM table WHERE name = 'it me' # error!

after the data has been escaped, your data will become 'it\ me' and there is no error.
Therefore, this function only works with SQL queries and data; it is enclosed only in quotation marks .

Thus, it makes no sense to do mysql_real_escape_string without quotes. mysql_real_escape_string should be used
a) one. things like cropping or strip have nothing to do here
b) right before the compilation of the query string, and not elsewhere
c) only with data to be enclosed in quotation marks.
d) all other data require other methods of disinfection.

As for email, you don’t need any sanitation that you send in plain text. The only precaution you should take against mail
Although it doesn’t matter. Just enter user input only in the body of the message. off topic, from or from any other headline. Only the body of the message. And you are safe

-one
source share

(I am new to stackoverflow, so I am doing the wrong way / doing poor work using the style of my answer, feel free to tell me.)

Correct me if I am wrong, as I am also dealing with the same problem right now, but I don’t think that the accepted answer using filter_var is enough, as attackers can work around this with Unicode.

Example: "& # 66; & # 99; & # 99; & # 58;" (spaces are added, so stackoverflow will display them correctly)

This will not be removed from the string and will later be replaced with "Bcc:".

This is my decision, but there may be a better way. If anyone knows one thing, I would like to hear it.

  $string = str_replace("&", "(and)", $string); $string = str_replace("#", "(num)", $string); $string = str_replace(";", "(semi-colon)", $string); $string = str_replace(":", "(colon)", $string); $string = str_replace("@", "(at)", $string); $string = str_replace("\\", "(backslash)", $string); $string = filter_var($string, FILTER_SANITIZE_STRING);
-one
source share

More articles:


All Articles