Best Way to Sanitize / Filter User Comments?
I am currently using this process for Sanitize / Filter comments entered by users ->
This is used to divide the forward slash ... and
if (get_magic_quotes_gpc()) {
function stripslashes_deep($value)
{
$value = is_array($value) ?
array_map('stripslashes_deep', $value) :
stripslashes($value);
return $value;
}
$_POST = array_map('stripslashes_deep', $_POST);
$_GET = array_map('stripslashes_deep', $_GET);
$_COOKIE = array_map('stripslashes_deep', $_COOKIE);
$_REQUEST = array_map('stripslashes_deep', $_REQUEST);
}
The comment then goes through this function to sanitize the data ...
function my_strip_tags($str) {
$strs=explode('<',$str);
$res=$strs[0];
for($i=1;$i<count($strs);$i++)
{
if(!strpos($strs[$i],'>'))
$res = $res.'<'.$strs[$i];
else
$res = $res.'<'.$strs[$i];
}
return strip_tags($res);
}
After that, it goes straight to the database using a prepared statement.
function add_comment($comment,$type,$update_id,$user_id){
$query="INSERT INTO comment_updates (updateid,userid,comment) VALUES(?,?,?)";
if($stmt=$this->conn->prepare($query)) {
$stmt->bind_param('sss',$update_id,$user_id,$comment);
$stmt->execute();
if($this->conn->affected_rows==1){
$stmt->close();
return true;
}
}
}
I just wanted to know if this is safe enough or if they have any other better alternatives ... Thanks
source to share
Don't write your own HTML sanitizer. You will create XSS holes.
If you are going to write your own, at least run ha.ckers.org xss smoketests against it
Between these tests and the comparison of htmlpurifier filters , you should be able to get an idea of how complex html processing is - and why you should leave it to the pros.
source to share
The most important thing when thinking about storing data in a database is to avoid it; using mysql_real_escape_string
, or mysqli_real_escape_string
, or PDO::quote
, depending on the db you are using (or other functions for oracle / pg / ...)
Another solution would be to use prepared statements (see mysqli::prepare
and / or PDO::prepare
- those not supported by the old extension mysql_*
), which will deal with escaping data in your place; -)
When you think about HTML output, you have two solutions:
- accept HTML and use some library like HTMLPurifier for filtering / cleaning; this will allow you to specify exactly which tags and attributes are allowed and will give you clean and valid HTML as output.
- try to remove the HTML the way you doinig - doesn't always work well (what if you forget some special case?)
- escape HTML,
htmlentities
orhtmlspecialchars
: doesn't necessarily look good, but the result will look like user input.
I would go with either the first or the last solution; yours feels more "dangerous", but that's just a feeling ^ (general idea of "not reinventing the wheel")
source to share
Your magic handling of quotes is fine, although if you create get parameters with quotes you also need stripslashes keys. :)
As far as strip-tags are concerned, you're better off with a real HTML filter library. There are so many html-related reasons that you just shouldn't trust everything you just do and forget about them. People spend time creating these HTML filters, so use their work to your advantage.
As far as "right in the DB" is concerned, well in linked parameters is certainly so great. You can safely put anything in a bound parameter. On the quoted string, I hope you are avoiding the result.
source to share