Best method for security in PHP?

Question

I am essentially taking a user's input, storing it in a MySQL database, and then outputting it to the same user and to other users.

Right now, I am applying mysql_real_escape_string() to all things inputted by the user, and whenever something is echoed (which is then displayed to the user through AJAX), I apply htmlspecialchars().

Is this okay? Is there anything better? I want a simple, secure solution that keeps the text clean. Preferably, I would also like to secure the text before it enters into the database, as consistency is important for me here.

Thanks!

Please look at some of the questions in the "related" list on the right. Hopefully they will address your concerns. — Oliver Charlesworth, Jul 06 '12 at 00:18
Paul - I would rather use something more simple and familiar to me, but I will look into it. Oli - I did, but I think my case is more specific because I want to totally filter input before it goes in the database. I essentially want it stored as plain text, with xss and injection threats removed. — Gus, Jul 06 '12 at 00:21
ok, then check out `magic_wand()`. But really, just spend some time learning PDO. Once you do that, it will become familiar to you — Paul Dessert, Jul 06 '12 at 00:24
It makes more sense to combat XSS/CSRF on _output_ -- when your output is formatted in JSON vs XML vs HTML, the threats are different; you should format the data correctly for output _at output time_. For SQL Injection, it is just far easier to use tools such as PDO that do not suffer from SQL Injection problems -- and leave the data alone, unmangled. (How many times have you seen websites that say something stupid like `Hello, O''Malley!` or `Don''t worry be happy`? Too many times. Don't mangle your data.) — sarnold, Jul 06 '12 at 00:26
possible duplicate of [What's the best method for sanitizing user input with PHP?](http://stackoverflow.com/questions/129677/whats-the-best-method-for-sanitizing-user-input-with-php) — John Carter, Jul 06 '12 at 00:31

score 2 · Answer 1 · answered Jul 06 '12 at 00:29

If you mean "clean" as in "secure" the htmlspecialchars() is quite alright. You may want to use htmlentities(), which encodes all characters as opposed to just the special ones.

Some characters get by htmlentities() and htmlspecialchars() (those which aren't in Latin1) and consequently, you might want to "UTF-8 proof" your output. You can use this function I found on as a comment on the PHP docs.

// Unicode-proof htmlentities.
// Returns 'normal' chars as chars and weirdos as numeric html entites.
function superentities( $str ){
    // get rid of existing entities else double-escape
    $str = html_entity_decode(stripslashes($str),ENT_QUOTES,'UTF-8');
    $ar = preg_split('/(?<!^)(?!$)/u', $str );  // return array of every multi-byte character
    foreach ($ar as $c){
        $o = ord($c);
        if ( (strlen($c) > 1) || /* multi-byte [unicode] */
            ($o <32 || $o > 126) || /* <- control / latin weirdos -> */
            ($o >33 && $o < 40) ||/* quotes + ambersand */
            ($o >59 && $o < 63) /* html */
        ) {
            // convert to numeric entity
            $c = mb_encode_numericentity($c,array (0x0, 0xffff, 0, 0xffff), 'UTF-8');
        }
        $str2 .= $c;
    }
    return $str2;
}

As for escaping your data when it enters the database, you can apply htmlentities before you insert into the database. Then, when you output, you can do it again for good measure, but be sure to not double encode or else you won't be able to read anything. Here's an example.

//Decode existing htmlentities
$OutputStringRaw = html_entity_decode(stripslashes($str),ENT_QUOTES,'UTF-8');

//Now you can apply htmlentities (or wtv else) w/o fear of double encoding.  
$OutputStringClean = htmlentities($OutputStringRaw);

But really, it's best just to leave the entries in the database without the html escaping. When you insert your data, either use PDO (here's an ok tutorial on it), or use keep on using the mysql_real_escape_string you've been using.

score -1 · Answer 2 · answered Jul 06 '12 at 01:39

You can use md5 encryption for securing the text before it enters into the database. But nowadays using md5 hash is not so secure it is decryptable. If anyone gets access to your database they will be able to decrypt the password. You can use bcrypt which i think is a very good method for encryption.

Best method for security in PHP?

2 Answers2