0

Is the filter_var function with the parameter FILTER_SANITIZE_STRING an acceptable means to sanitizing database inputs?

I'm using the following when receiving input from a form and wanted to see if this was considered an acceptable practice.

I know that ideally one should use a parameterized interface but I'm curious about alternatives, provided there are any acceptable alternatives, to that approach.

$this->fname = filter_var( $this->fname, FILTER_SANITIZE_STRING );
Rob Baillie
  • 3,436
  • 2
  • 20
  • 34
morris295
  • 517
  • 1
  • 7
  • 21
  • 2
    To sanitize data going to database. As you are using php. I would recommend you use first PDO prepared statements, which reduces the risk of the sql injections and also you need to use client side input data sanitation methods. – Mubo Feb 12 '14 at 15:25
  • I do have JavaScript validation on the form fields, but I would ideally like to have another layer between the form and the database. – morris295 Feb 12 '14 at 15:40
  • That seems good to me. For server side when using php. PDO and prepared statements are really good so far and do the job. That should be enough i think – Mubo Feb 12 '14 at 15:43

2 Answers2

1

I'd say no. It will strip out or encode, depending on the flag you set, non-string characters however it's always a good idea to keep database sanitisation with functions such as mysql_real_escape_string.

Plus it's not going to do any harm having the extra layer of security in there.

Ashley
  • 1,459
  • 2
  • 12
  • 25
  • That's my understanding of the situation as well but more precisely the problem I'm facing is that we're using an ODBC connection to access a Microsoft SQL Server database. There is no equivalent function to `mysql_real_escape_string` with ODBC to the best of my knowledge, what's the best method to use under those circumstances? – morris295 Feb 12 '14 at 15:30
  • This (http://stackoverflow.com/questions/6197828/how-to-sanitize-odbc-database-input) perhaps? – Ashley Feb 12 '14 at 15:31
1

I would first say that you Use PDO, and make your queries safer by using prepared queries. PDO Prepared statement

mysql_real_escape_string. function is good but don't use it with addslashes() function at the same time , they can confict each other.

Mubo
  • 1,078
  • 8
  • 16
  • I should further specify that we are using a Microsoft SQL Server database. As such, I just took a look at the PDO documentation on php.net it states that functionality with MS SQL server is "experimental", that's not really desirable in this case. It looks like PDO handles MySQL quite well, but not necessarily SQL Server. – morris295 Feb 12 '14 at 15:48
  • I just looked a little bit further at the documentation and it appears that PDO also has `PDO_ODBC` for use with system DSNs. I think that better addresses what I was initially looking for. Please disregard my previous statement about PDO and MS SQL Server. – morris295 Feb 12 '14 at 15:52
  • I was about to write to you about this. PDO is php database abstraction and is designed not only for Mysql but also all other existing Database Languages. Cheers – Mubo Feb 12 '14 at 15:55
  • Yeah, I saw PDO_ODBC listed maybe a moment after I clicked "back" from the Microsoft SQL Server section of the docs and felt a little foolish. Thanks for all your help. – morris295 Feb 12 '14 at 15:58