Many Web applications receive external inputs, these external inputs can be a User Input from a form, Cookies, Web Services Data, Server Variables or Database Query Results. Now It is always not mandatory that whatever the input your web application is receiving is in proper format and it is not containing any illegal characters in it. In order to make sure that the data our web application is receiving as an input is in proper format and it is only containing the legal characters, we should always sanitize and validate our data.
Validating data = Determine if the data is in proper form.
Sanitizing data = Remove any illegal character from the data.
In PHP, which is one of the most popular web programming languages around the globe, filters are used, which is called as PHP filters, by using PHP filters we can make sure that whatever the data we are receiving as an input is correct, cause invalid submitted data can lead to security problems and can break down the web page.
PHP provides an inbuilt function filter_var(), that is used for both validating and sanitizing the data.
Let us take an example, that you have a form where you are taking the Name of the person and his Email Address as input, and to make sure that the data you are getting is in proper format and it is not containing any illegal character, you are sanitizing and validating the inputs.
Sanitizing String:
<?php
$name="<h1>ANKUR TAILANG</h1>";
echo $name."<br/>";//it will print ANKUR TAILANG using the <h1> tag
/*see here my name variable is containing <h1> tag which is illegal if I won't sanitize it,
it will be saved in the database like<h1>NAME</h1> that is not good for our web page so we will sanitize it using filter_var()*/
$sanitize_name= filter_var($name,FILTER_SANITIZE_STRING);
//this above line will sanitize the name variable and will remove <h1> tag from it
echo $sanitize_name;//its output will be ANKUR TAILANG
//and now we will save this sanitized variable in our database
?>
Sanitizing and Validating Email Address:
<!DOCTYPE html>
<html>
<body>
<?php
$email = "ankurtailang@gmail.com";
// Remove all illegal characters from email if there exists any
$email = filter_var($email, FILTER_SANITIZE_EMAIL);
// Validate e-mail
if (!filter_var($email, FILTER_VALIDATE_EMAIL) === false) {
echo("$email is a valid email address");
} else {
echo("$email is not a valid email address");
}
?>
</body>
</html>
Another function is used in PHP for removing illegal characters from the data, that function is strip_tags(), Let us see an example of it:
<?php
/*I am inserting a script just to breach the security of the website
if it is not handled carefully, then out site will become prone for
Cross Site Scripting Attack
*/
$var1="<script>alert('HELLO')</script>";
$strip_var= strip_tags($var1);
/*once I use the strip_tags() function it will strip the <script> tags from it
and only alert("HELLO") will be there*/
echo $strip_var;
?>
That's all in this article of mine, Sanitizing the inputted data is a must when you are creating a web application, cause most of the time if the data of a website is neither sanitized nor validated, that particular website becomes prone to the XSS attack, that is Cross Site Scripting Attack, always make sure to sanitize and validate your data, before inserting it into the Database. There are much more PHP filters are there, like we can sanitize and validate Integer values, an IP address, an URL etc.
Learn about Cross Site Scripting here.
No comments:
Post a Comment
Thanks for Your Time!