0

Ive read every post here on escaping and unfortunately almost every one has disagreements amongst posters so I just want to ask the community about my specific situation before I make a major mistake because I misunderstood another post.

I am storing user preferences in a MySQL database where I personally place the information directly into the database myself, not user submitted inputs.

My questions are:

1.) If I am running a PHP query and placing the query result into other PHP code blocks, not as HTML but just as things like other queries, ie(SELECT * from $queryresult) there is no need to escape this correct?

2.) If I am outputting what I stored in the database as html directly from the database do I need to sanitize this output in anyway. My understanding is that sanitization is strictly for user submitted input. Need I really worry about data coming out of database fields I personally populated.

I think I know the answers here after reading but I dont want to leave any room for error on this one.

Dev Newb
  • 565
  • 1
  • 6
  • 24
  • Please only ask one question at once. For the one part of it: Duplicate of [Best way to stop SQL Injection in PHP](http://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php) - And if you have a problem with answers you find here on similar questions, add comments there or write explcitily what specifically you don't understand. Security is not a package in store you can grab and than you have it. – hakre Apr 11 '12 at 14:58
  • Can you point to examples that gave you the idea that you don't need to escape queries with your own data, and that you don't have to escape data for HTML? I'd like to go to those questions and downvote such answers accordingly, and provide correct answers. – Brad Apr 11 '12 at 15:08
  • Oh geez, cmon hakre! What kind of a response is that?! Note taken on one question at a time. I didn't have a problem with a particular post, but if you read them all it still isn't exactly clear so I asked my own question. Who mentioned wanting a security package?! Clearly this question is to advance my knoweledge of security so I can apply this escaping piece of the puzzle to my applications. Isnt this supposed to be a community to help ppl trying to learn? Not quite sure how ur answer accomplishes that....just saying – Dev Newb Apr 11 '12 at 15:11
  • @Brad Posts such as this: http://stackoverflow.com/questions/2573332/decoding-mysql-real-escape-string-for-outputting-html lead me down that road but I'm sure that is my problem and not the post. My confusion was that most posts deal with user submitted input so I connected some dots that werent there. But since I knew I was connecting dots I thought I would ask specifically about database content that I put there. Your answer clears it up for me. Thanks again. – Dev Newb Apr 11 '12 at 15:16

1 Answers1

3

Question 1 - Escaping data for MySQL queries

No, you must always escape data in your queries, regardless of the source. Data escaping is for the query parser. Even if the data comes from your own code, you must escape it.

Learn to use PDO to avoid this problem.

Question 2 - Escaping data for HTML

If you are outputting data to HTML, you must always escape it with htmlspecialchars() or equivalent. This is so you don't have to worry about bad HTML code, as well as XSS.

Brad
  • 159,648
  • 54
  • 349
  • 530