1

Possible Duplicate:
Best way to prevent SQL Injection in PHP

On my site I have some HTML contents that a user sometimes must save in database. What is the safe way to do this (I don't want my database to be in danger, or users who will see that code later, called from database).

So what I have read is:

Use htmlentities to save data in database, and html_entity_decode to decode data from database. Is this safe enough, or should I use something else?

Community
  • 1
  • 1
SomeoneS
  • 1,207
  • 2
  • 19
  • 34
  • Well, i am not worried only for database, also for displaying html from database. – SomeoneS Jul 29 '12 at 09:11
  • That's [a completely different problem](http://stackoverflow.com/questions/3129899/what-are-the-common-defenses-against-xss) (and one you solve just before inserting content into an HTML document, not just before inserting content into a database). – Quentin Jul 29 '12 at 09:14

2 Answers2

5

Provided you're using string escaping and/or prepared statements, HTML markup can't cause any damage to your database. The danger with HTML markup comes when you display it to the user, as if someone has injected unsavory HTML into the markup you're going to display then you've got an XSS attack on your hands.

If you're not escaping or using prepared statements, then pretty much any data that comes from outside can be dangerous.

GordonM
  • 31,179
  • 15
  • 87
  • 129
  • I havent heard of "prerpared statements", but i found this function: ` function make_safe($variable) { $variable = stripslashes($variable); $variable = mysql_real_escape_string(trim($variable)); $variable = htmlspecialchars($variable); return $variable; } ` Is this good enough for escaping? – SomeoneS Jul 29 '12 at 09:10
  • 1
    That's horrid! Don't use it. – GordonM Jul 29 '12 at 09:10
  • Why? Well how it should look? (i used this code once for sanitising user registration data) :s – SomeoneS Jul 29 '12 at 09:13
  • http://en.wikipedia.org/wiki/Prepared_statement – GordonM Jul 29 '12 at 09:40
0

You might want to look at the PHP function mysql_real_escape_string() ... More in this post: strip_tags enough to remove HTML from string?

Here's an example ...

// scrub string ... call with sanitize($blah,1) to allow HTML
function sanitize( $val, $html=0 ) {
    if (is_array($val)) {
        foreach ($val as $k=>$v) $val[$k] = sanitize($v, $html);
        return $val;
    } else {
        $val = trim( $val );
        if (!$html) {
            $val = strip_tags($val);
            $pat = array("\r\n", "\n\r", "\n", "\r");
            $val = str_replace($pat, '<br>', $val); // newlines to <br>
            $pat = array('/^\s+/', '/\s{2,}/', '/\s+\$/');
            $rep = array('', ' ', '');
            $val = preg_replace($pat, $rep, $val); // remove multiple whitespaces
        }
        return mysql_real_escape_string($val); // escape stuff
    }
}
Community
  • 1
  • 1
designosis
  • 5,182
  • 1
  • 38
  • 57
  • 2
    1) mysql_real_escape_string has nothing to do with HTML markup, it's about making sure strings are properly quoted. 2) if you want to sanitize or strip HTML then use the right tools for the job (htmlentities/htmlspecialchars/strip_tags) and don't make your own ad-hoc solution. 3) mysql_* is obsolete and deprecated in all but name. If you're still using them then please switch to mysqli or pdo – GordonM Jul 29 '12 at 09:10
  • (1) his question had to do with database safety, not markup ... (2) my solution does use strip_tags ... (3) VERY good to know, thanks! For anyone else who didn't know this ... http://php.net/manual/en/mysqli.overview.php – designosis Jul 29 '12 at 09:19
  • 1
    @neokio I don't have to elaborate because I'm not a downvoter... for HTML sanitation you should use [HTMLPurifier](http://htmlpurifier.org/) , instead of your own, regex based, not-enough-tested "solution", I'm only saying this because I also used my "solutions"... For SQLi, prepared statements if used correctly are considered to be safe, MySQLi or PDO... – Dejan Marjanović Jul 29 '12 at 09:31