Results 1 to 8 of 8
  1. #1
    Join Date
    Dec 2012
    Posts
    40

    Question Is data sanitize required after using PHP Prepared Statement?

    If you are using Prepared statements in php for all your queries, then do you still need to sanitize user inputs?

    Is any other data sanitize required to prevent sql injection or any other kind of security threat from user inputs??

    Let's say if the code is like this:

    $query = "INSERT INTO user (name, email, desg, inst, country, address) VALUES (?,?,?,?,?,? )";
    $stmt = $con ->stmt_init();
    $stmt -> prepare ($query);
    $stmt -> bind_param('ssssss',$name, $email, $desg, $inst, $country, $address);
    $stmt ->execute();
    Last edited by aditya2012; 12-15-2013 at 02:40 PM.

  2. #2
    Join Date
    Jul 2009
    Posts
    639
    I still would. In most cases, can't go wrong with securing your code further.
    bihira.com | 10+ Years of Web Hosting Experience!
    Shared Hosting | Reseller Hosting | 30 Day Money Back Guarantee
    cPanel | CloudLinux | R1Soft | Softaculous
    Find us on facebook and follow us on twitter @bihira

  3. #3
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,686
    It's always, always, always good practice to sanitize your data.
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

  4. #4
    Join Date
    Mar 2005
    Posts
    331
    Technically there is no reason to sanitize the data for SQL injection if you only use prepared statements. However, there are many other attack types that you need to protect against. Prepared statements only help you against SQL Injection.

  5. #5
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,842
    Quote Originally Posted by BCata View Post
    Technically there is no reason to sanitize the data for SQL injection if you only use prepared statements. However, there are many other attack types that you need to protect against. Prepared statements only help you against SQL Injection.
    Exactly right. Notably XSS. If a malicious user includes javascript in his data (eg. the address field) and you don't sanitize, it will be faithfully saved in the database. Then when the admin logs in and opens any page containing the address (eg. a user list), that javascript runs in his browser with all his permissions. Oops - you've just allowed an attacker to do anything the admin can.
    Chris

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

  6. #6
    Join Date
    Dec 2012
    Posts
    40
    Can Prepared statement help to overcome impact of malicious words like SELECT, UPDATE, DELETE if any user tries to input those words??


    @Foobic: I understand we need to remove Javascript for XSS attack using a function like this:
    Code:
    function cleanInput($input) { 
    $search = array(
    '@<script[^>]*?>.*?</script>@si',   // Strip out javascript
    '@<[\/\!]*?[^<>]*?>@si',            // Strip out HTML tags
    '@<style[^>]*?>.*?</style>@siU',    // Strip style tags properly
    '@<![\s\S]*?--[ \t\n\r]*>@'         // Strip multi-line comments
    );
    $output = preg_replace($search, '', $input);
    return $output;
    }
    Any comments....

  7. #7
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,842
    Quote Originally Posted by aditya2012 View Post
    Can Prepared statement help to overcome impact of malicious words like SELECT, UPDATE, DELETE if any user tries to input those words??
    Prepared statements, used properly, will prevent SQL injection attacks. So if an attacker uses these words in an input string, they'll just be put into the database complete with the rest of the string, not executed (unless the attacker finds a vulnerability in the library used to implement prepared statements - unlikely but possible).

    Any comments....
    You're trying to think of every possible attack and remove it specifically. That's the wrong way to do sanitation. The right way is to think about which characters you need the user to be able to enter in any given situation and allow only those characters - remove everything else.
    Chris

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

  8. #8
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,686
    Quote Originally Posted by foobic View Post
    You're trying to think of every possible attack and remove it specifically. That's the wrong way to do sanitation. The right way is to think about which characters you need the user to be able to enter in any given situation and allow only those characters - remove everything else.

    Correct
    And adding to that, why create your own functions. The wheel exists in PHP already. Filters have existed for a bit now.
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

Similar Threads

  1. Mysqli Prepared statement and $mysqli->affected_rows > 0
    By bambinou in forum Programming Discussion
    Replies: 1
    Last Post: 07-19-2013, 12:24 PM
  2. php if statement help
    By DKN in forum Programming Discussion
    Replies: 3
    Last Post: 10-04-2005, 11:33 AM
  3. PHP statement too long
    By kapot in forum Programming Discussion
    Replies: 4
    Last Post: 12-31-2004, 09:49 AM
  4. php if statement
    By feelexit in forum Programming Discussion
    Replies: 2
    Last Post: 08-18-2004, 12:28 AM
  5. PHP help please? else statement?
    By wowewo in forum Programming Discussion
    Replies: 4
    Last Post: 02-12-2003, 01:14 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •