How to properly filter input from users in PHP?

What is the industry standard to filter input from users (both POST and GET) to avoid SQL injections and things of that nature. So far I am using filter_input() and mysql_real_escape_string() functions? Is that enough and if not, what other methods I should use开发者_StackOverflow社区?

An important rule to live by is FIEO. Filter Input Escape Output.

ANY information that you take and store from a user must be filtered server-side, in order to do this you should be using mysql_real_escape_string. It always should be the last thing you should before adding the value to the database. Validate the users input, ensure it is what you want, remove any symbols or tags if you need to using Regular Expressions, check its length and any other rules - do all this, then finally apply the MySQL function mysql_real_escape_string.

ANY information that you are displaying on your webpage that is dynamic - i.e. has come from a database of user-generated content or has directly come from user input must then be escaped. You must URL encode any symbols, remove (or encode) any HTML tags.

I highly recommend you watch this presentation on web security by expert Chris Shiflett:

http://www.slideshare.net/shiflett/evolution-of-web-security

Escaping to avoid SQL injection and filtering or validating inputs are two different things. You do not need to filter input to avoid SQL injection, and filtering input does not necessarily help against SQL injection.

To avoid SQL injection you escape the input so it won't mess up the syntax of your query, or you use prepared statements that avoid the problem entirely. It does not matter what this input contains, whether it's filtered or not. If you escape it once using the appropriate escaping function for your database or use prepared statements, you're done worrying about SQL injection.

You filter or validate input for different reasons, mostly because you do not want to allow certain values in the database. This is entirely separate from how these values are put into the database (which is where SQL injection could occur).

On output you need to escape the values according to your output medium as well, for the same reasons you escape them when putting them in an SQL query: to avoid messing up syntax, which may be exploited. I.e. when outputting to a webpage, you HTML escape your values. Again, it doesn't matter what value it is; if it's properly escaped, it can be anything.

i suggest you use database lib for saving data to database like pear db or cakephp orm

in this method you really sure noting can attack your db for injection

you may use PDO for database connection in php. PDO stands for PHP Data Object. It is better than mysql_connect. PDO is Objetc oriented and also it ensure much more protection.

http://www.php.net/manual/en/class.pdo.php

$link = new PDO ( $dsn, $user, $password, $options ) ;

use htmlspecialchars to encode characters that could cause problems. Validating the data is different, it depends on what you are expecting from the input field.