isChild | anchor |
---|---|
true |
data_filtering |
Never ever (ever) trust foreign input introduced to your PHP code. Always sanitize and validate foreign input before
using it in code. The filter_var()
and filter_input()
functions can sanitize text and validate text formats (e.g.
email addresses).
Foreign input can be anything: $_GET
and $_POST
form input data, some values in the $_SERVER
superglobal, and the
HTTP request body via fopen('php://input', 'r')
. Remember, foreign input is not limited to form data submitted by the
user. Uploaded and downloaded files, session values, cookie data, and data from third-party web services are foreign
input, too.
While foreign data can be stored, combined, and accessed later, it is still foreign input. Every time you process, output, concatenate, or include data in your code, ask yourself if the data is filtered properly and can it be trusted.
Data may be filtered differently based on its purpose. For example, when unfiltered foreign input is passed into HTML
page output, it can execute HTML and JavaScript on your site! This is known as Cross-Site Scripting (XSS) and can be a
very dangerous attack. One way to avoid XSS is to sanitize all user-generated data before outputting it to your page by
removing HTML tags with the strip_tags()
function or escaping characters with special meaning into their respective
HTML entities with the htmlentities()
or htmlspecialchars()
functions.
Another example is passing options to be executed on the command line. This can be extremely dangerous (and is usually
a bad idea), but you can use the built-in escapeshellarg()
function to sanitize the executed command's arguments.
One last example is accepting foreign input to determine a file to load from the filesystem. This can be exploited by
changing the filename to a file path. You need to remove "/"
, "../"
, null bytes, or other characters from the
file path so it can't load hidden, non-public, or sensitive files.
- Learn about data filtering
- Learn about
filter_var
- Learn about
filter_input
- Learn about handling null bytes
Sanitization removes (or escapes) illegal or unsafe characters from foreign input.
For example, you should sanitize foreign input before including the input in HTML or inserting it into a raw SQL query. When you use bound parameters with PDO, it will sanitize the input for you.
Sometimes it is required to allow some safe HTML tags in the input when including it in the HTML page. This is very hard to do and many avoid it by using other more restricted formatting like Markdown or BBCode, although whitelisting libraries like HTML Purifier exists for this reason.
It is dangerous to unserialize()
data from users or other untrusted sources. Doing so can allow malicious users to instantiate objects (with user-defined properties) whose destructors will be executed, even if the objects themselves aren't used. You should therefore avoid unserializing untrusted data.
If you absolutely must unserialize data from untrusted sources, use PHP 7's allowed_classes
option to restrict which object types are allowed to be unserialized.
Validation ensures that foreign input is what you expect. For example, you may want to validate an email address, a phone number, or age when processing a registration submission.