19 Jan 08 Sanitizing User Input in PHP: Bobby Tables Strikes Again!

This is a solved problem, yet the volume of applications that are exposed to vulnerabilities due to improperly filtered input is staggering.

What is the problem?

Given certain input, an application will interpret the input as executable code (either executable in SQL or the language of the application by using input in an "eval" block). There have been numerous high-profile examples of these attacks being used against web sites. The infamous RIAA's website just suffered from one such attack.

What does an attack of this vulnerability look like?

An attack might best be described by this short cartoon:

What is the best practice for sanitizing input?

This is a simplified example of how I do it, in PHP. PHP implements Perl-Compatible Regular Expressions, and any language implementing regular expression syntax (for instance, Perl) in this manner should have a similar snippet of code that effectively does the same thing.

$cleanvar = ereg_replace('[^a-zA-Z0-9]', '', $_POST['var']); // will only allow upper & lower alphas and integers