Protecting your site from security vulnerabilities can be a daunting task at times, and it is extremely important that you take the precautions necessary to protect yourself and your site users.
In this article, we will be discussing AJAX Data Sanitization, and by the end of this article you should know exactly how to protect yourself from data injection.
Note: For the purpose of this article we will be discussing form submission, and data retrieval via AJAX, however all of processes we discuss should be applied when exchanging data via AJAX.
You should never assume data submitted by a visitor is safe. Remember, people make mistakes and more often than you think visitors will enter data which is not safe for submission to your site/database.
It is also important to remember that there are users who are knowingly trying to inject data into your site for malicious purposes, more commonly known as attackers. These individuals (and groups in some cases) are actively trying to find a security breach in your site, which they can use to extract data or gain access.
Additionally, you should never assume that data is safe when it is being retrieved from your database. We should always prepare for the worst possible scenario, meaning we should be prepared in the event that an attacker is able to inject malicious data successfully.
We should therefore always assume the data being retrieved (or sent) is unsafe, and handle it accordingly.
As mentioned earlier, we should never assume data being sent by our site visitors matches our requirements, and we should ensure the data meets all our security requirements before storing it in our database. This process is called validation, and it is a fundamental part of ensuring the security of your website.
We will be discussing validation in PHP, however you should be able to apply this to any server-side language.
Always ensure the data being processed matches the data you requested. For example, if we had a form which requested a visitors age, we should ensure the user has entered a numerical value. Doing this reduces the risk of data injection, as our input requirements are made clear to the end-user.
Here are a few PHP functions to help you with validation:
Check if variable is set: isset($var)
Check if variable is an integer: is_int ($var)
Check if variable is a double: is_double ($var)
Check if variable is a float: is_float ($var)
Check if variable is a boolean: is_bool ($var)
Check if variable is a string: is_string ($var)
Check if variable is an array: is_array ($var)
It is also possible to make use of typecasts to force a variable to type you required. This will often strip any illegal formatting.
Advanced validation can be developed to process more advanced information. (Advanced validation includes determining if an email address or domain is valid, for example)
We recommend validating all input data as this will reduce the risk of data injection, and as a result this will reduce the risk of attacks on your site.
When using AJAX you should return an error message to the user if data was entered incorrectly, or does not meet requirements. This will allow the user to rectify the issue and submit the data again.
Next we will discuss sanitizing data, covering common methods of sanitizing data, as well as why sanitizing data is important.
After we have finished our data validation process, and we are sure all data meets the requirements, we should ensure all data is safe before storing/using it.
It is therefore better to assume data is unsafe, in the event that our data validation fails for some reason. This way we ensure all data is safe regardless of the complexity of our data validation.
The first thing to ensure, is that no HTML data is being sent through to our system. In the event that HTML has been sent through it should be removed. This is done by stripping any HTML tags with the ?strip_tags’ function in PHP:
$variable = strip_tags($variable);
Next, we should ensure there is no conflicting data passed into our SQL statement. Specifically SQL statements which may alter data within our database (SQL Injection). This can be done by using the ?mysqli_real_escape_string’ function in PHP:
$variable = mysqli_real_escape_string($link, $variable); //Link refers to the database connection
This will prevent attackers from running any additional SQL statements, and will add protection to our data. Additionally this will escape common characters like: Quotes, Backslashes, New Line Characters, etc.
Note: Additionally, we recommend making use of Prepared Statements when possible as this has been proven to be much safer than simply running SQL statements.
We are now at a point where we have allowed data to be stored into our database, and we will be retrieving it displaying it on the front-end of our site. It is easy to forget that we should still treat the data as ?unsafe’ even though we have followed the steps above.
As we are using AJAX to exchange the data, it is possible for these requests to be intercepted. Meaning the data may not match our criteria if it is intercepted at some point during the process.
Remember: Advanced attacks can bypass your validation and sanitization attempts, which means the data may not be safe. We should therefore ensure the data is safe before output.
We should escape any common HTML tags from the variable using ?htmlspecialchars’ function in PHP:
$variable = htmlspecialchars($variable);
This will ensure any HTML tags that are present are replaced safely. However as mentioned earlier, you may prefer to strip any HTML from your variable using the ?strip_tags’ function instead.
It is good practice to repeat this process for any variables being output into the DOM, as to prevent the injection of any scripts, or other elements, which may cause the user’s experience to be negatively affected.
Preventing data injection, and malicious activity on your site is critical, and with attack methods/patterns constantly changing it can be difficult at times to ensure your data is secure.
However, if you follow the steps below it should be a lot easier:
We should always strive to improve our overall data security, not only to prevent data from being acquired by attackers, but also to ensure the stability of our sites/services.