Detailed information about protection against injections in php, mysql?

Hello! Rummaged a lot of information about protecting user input, but the exact explanation of how to properly defend themselves is not found. Forums, guides, and other information sources, it always comes down to one thing - a person writes a guide like "correctly" need to be protected, then in the comments people write that he is a fool and just teaches people bad. In the end, is good and accurate information, no one left.
Take for example this task, the most basic and about which always say - to protect the password, username in the login form. Someone wrote that it is necessary to do so:
$login = trim($_GET['login']);
 $login = strip_tags($login);
 $login = mysqli_real_escape_string($mysqli, $login);

And someone that need this:
$login = $_GET['login'];
 $login = mysqli_real_escape_string($mysqli, $login);

In the end, all of these options are "reject." Answer I never received. Besides, even if "Google" information on my request, in the first place constantly article minus rating(With Habra, for example). Perhaps the question is very simple, but after reading all the articles, I was confused. Can anyone answer this question? Please do not write about what you need to use CMS and other solutions.
Thank you!
July 2nd 19 at 17:26
4 answers
July 2nd 19 at 17:28
Solution
$login = trim($_GET['login']);
$login = strip_tags($login);
$login = mysqli_real_escape_string($mysqli, $login);

Why do you think that we need to change the user's login, if she wanted this? wants to be <script></code>, let it be. Don't limit yourself.<br><br> you need to distinguish between sql-injection and xss attack<br> ie if we write to the database, then<br> $login = mysqli_real_escape_string($mysqli, $login);<br> query( insert into ... );<br><br> Then, display on the page<br> $login = query( select from ... );<br> htmlspeialchars echo($login);<br><br> And everyone is happy.<br><br><blockquote>If you have time, please write how You would write this code. I'm just curious to see a correctly implemented code.</blockquote><br> Code to write lazy while I'm up there above, in principle, it is already written =) but instead of mysqli_real_escape_string in real code I would use prepared statements (PDO and mysqli instead, although there is probably a matter of taste).</script>
From login I removed all superfluous, as it must not contain anything extra(just the word, type "login"). He never displayed, only used for login. To external display you are using another variable "nickname" - there, I do not limit. I have everything and realized, just then, he thought, and began to look for information. After I read, I questioned my decision and asked here. Thanks for the reply! - juanita23 commented on July 2nd 19 at 17:31
In addition, I fell on a small project, but with great responsibility. So I worry about security. - juanita23 commented on July 2nd 19 at 17:34
: I advise still to pay attention to the code in my answer: it's a proven solution that has been running for several years. - Kyleigh_Hills commented on July 2nd 19 at 17:37
your code should be code of the month govnokod.ru. - otho.Mraz23 commented on July 2nd 19 at 17:40
why? can you prove it? - Kyleigh_Hills commented on July 2nd 19 at 17:43
: will.
1. The code does a lot of things.
2. The code is not doing what you should do. Read habrahabr.ru/post/148701
3. Terrible constwo code. The code is not structured, the actions are applied not to the place.
4. Disgusting coastal. Read www.php-fig.org/psr/psr-2
5. Learn to use composer and popular libraries are the de facto standard in the industry.
Read finally www.phptherightway.com - otho.Mraz23 commented on July 2nd 19 at 17:46
:
On item 1 - I would like specifics.
According to paragraph 2 - what it does?
On point 3 - I would like specifics.
(Yet - anything specific You didn't say...) - Kyleigh_Hills commented on July 2nd 19 at 17:49
:
1. code cuts off information that should not cut off when you insert into the database.
2. Does not protect against SQl injection.
3. Validation request must be made in the controller. and insert in database in the model. You have a lot.
4 and 5 points are clear? Already well ;) - otho.Mraz23 commented on July 2nd 19 at 17:52
item 3 - I agree, this is not MVC, but just the code itself in the form of function: where and how to use (which) and where to get them - is it tenth (and so clear).
Left items 1 and 2)))
About n. 1: undercut quotes instead of escaping (I assume...)?
About p. 2: don't even guess...
Can you explain me them? (maybe I really missed something... but I can't understand.) - Kyleigh_Hills commented on July 2nd 19 at 17:55
:
1. If to simplify, Yes.
2. Article I just took off.
3. Can not be called fashionable words "model" and "controller". Still have to separate the different logic levels from each other. Googled levels on Fowler. - otho.Mraz23 commented on July 2nd 19 at 17:58
: I read the article, but I can't understand why my code does not protect all the same from sql-injections? therefore I asked... - Kyleigh_Hills commented on July 2nd 19 at 18:01
July 2nd 19 at 17:30
Read article habrahabr.ru/post/148701
It will tell you exactly why what you are doing (these two disgusting piece of code you gave) is unacceptable, and leads to SQL injection.
Thank you very much for the reply. Read the article, thoughts appeared. However, I would like to ask You. If you have time, please write how You would write this code. I'm just curious to see a correctly implemented code. - juanita23 commented on July 2nd 19 at 17:33
this article that you gave one of the best in the network. here is an article by the same author - phpfaq.ru
there is EVERYTHING you need to know - juanita23 commented on July 2nd 19 at 17:36
that phpfaq.ru/mysql/slashes - Kyleigh_Hills commented on July 2nd 19 at 17:39
> please, as if You wrote this code

learn to read documentation at last php.net/mysqli_real_escape_string#refsect1-mysqli.... - otho.Mraz23 commented on July 2nd 19 at 17:42
: I would write code like this: docs.doctrine-project.org/projects/doctrine-dbal/e...
The first code example on the link in the paragraph 5.1. - Kyleigh_Hills commented on July 2nd 19 at 17:45
: here, we use abstraction in a DBMS and on top of it another Query Builder that allows you to work with the query as strings.
This is a theoretical answer to your question.

In practice, I would not use DBAL and ORM would. - otho.Mraz23 commented on July 2nd 19 at 17:48
July 2nd 19 at 17:32
Check incoming variables is done in 2 stages:
1. validfilter() - Check input variables from users on the validity of using Regex.
2. mysql_escape_mimic() - Escapes before being placed in the query expression to the database.
(working code!)
//----------------------
mysql_escape_mimic function($inp) {
//from: http://php.net/manual/en/function.mysql-real-escape-string.php#101248
if(is_array($inp))
 return array_map(__METHOD__, $inp);
 if(!empty($inp) && is_string($inp)) {
 return str_replace(array('\\', "\0", "\n", "\r", "'", '"', "\x1a"), array('\\\\', '\\0', '\\n', '\\r', "\\'", '\\"', '\\Z'), $inp);
}
 return $inp;
}

validfilter function($value,$regexp,$flags='usi') {
 if (preg_match('/'.$regexp.'/'.$flags, $value,$result) 
 && $result[0]===$value) return $value; 
 else return false;
}
$charset=array(
'bad'=>'\x00-\x09\x0B\x0C\x0E-\x1F\x80-\xFF',
'sql'=>'\x00\x0a\x0c\x1a\x22\x27\x5c',
'en'=>'a-zA-Z',
'EN'=>'a-za-Eee',
'digits'=>'0-9',
'num'=>'0-9-.',
'space'=>'\s',
);
$filter=array(
//login - any character except non-printing, the sql"dangerous" and no spaces; 3 to 20 characters.
 'login'=>"^"."([^".$charset['bad'].$charset['sql'].$charset['space']."]{3,20})$", 
);
//----------------------
$login = validfilter($_REQUEST['login'],$filter['login']);

Then (if necessary) to safely work with the database, use: mysql_escape_mimic()
In this case, $login screening will be nothing, because we immediately tested this by adding a set $charset['sql'] in the filter inspection.
Therefore, $login can be directly used in sql query without any fears.
bredyatina - juanita23 commented on July 2nd 19 at 17:35
: maybe why? Justify? - juanita23 commented on July 2nd 19 at 17:38
because there is no "validity" of the data. ANY data you can write to the database. enough to do what is described on the links in the post above.

it
shielding
- compliance with sql syntax

validation of CONCRETE data is a completely separate issue. now he's heard enough and starts to enter a validation on everything. the fact that he had advised with strip_tags - Kyleigh_Hills commented on July 2nd 19 at 17:41
: you can providerbut immediately, so you do not get problems. After filtration through a code - queries to the database will be as secure as possible. - otho.Mraz23 commented on July 2nd 19 at 17:44
> queries to the database will be as secure as possible...

if you follow the articles recommendation. do not need nothing more to invent - Kyleigh_Hills commented on July 2nd 19 at 17:47
: yeah... I Smara, the author didn't.... a treatise and more a class then a whole: https://github.com/colshrapnel/safemysql/blob/mast... - otho.Mraz23 commented on July 2nd 19 at 17:50
July 2nd 19 at 17:34
Prepared queries.

Try actually to read less Habr and plenty of documentation from the developers of the tool used. Habr and other blog platforms is the subjective opinion of the author. Not a reliable source of information.
I agree 75%.
Even in the dock. from the developers of the shoals also their are...
I still prefer the pre-filter Regex'ω explicitly when working with data in any case and he can make a request in a safe and comfortable for me form. - juanita23 commented on July 2nd 19 at 17:37
There are shoals, but this is a mistake that the documentation disagrees with the code. Accordingly , when someone makes a report, the developers will release a fix that corrects the documentation or the code.

But otherwise, with articles of past mistakes, there may be a personal delusion of the author or, in your case preference, i.e. in contrast to the documentation article is a subjective opinion. Therefore, not a reliable source. - juanita23 commented on July 2nd 19 at 17:40
About the schools - the code is at odds with what he should do in reality and this may threaten the break-in because of a trivial oversight, developers. I is better once will filter, than I will dig the problem.
I rather not prefer, and extra protection from the shoals themselves as developers. As they say: just "fire".
And about the article - is there anything you want could be: it's more than reliable source. - Kyleigh_Hills commented on July 2nd 19 at 17:43

Find more questions by tags MySQLInformation securityPHP