-2

The PHP manual and user feedback within all leave me feeling confused. I'm trying to fix someone else's code where he resorted to converting all form data to ASCII codes and back.

This was done as a crude way of escaping everything but is hard to maintain and the database looks like a bunch of comma separated numbers instead of a queryable database. Surely there's a sure-fire way in php to store a form value and retrieve it without so many contortions. The various escape and unescape functions don't seem to escape everything.

You also need to check this and set this but make sure something else is not set. What gives? Simply stated, whatever is in the form fields must be reliably written to MySQL columns and be easy to retrieve back into PHP and query in mysql. The form is on the intranet and the data may contain all normal keyboard input including dollar sign, percent sign, slashes and apostrophes.

LSerni
  • 55,617
  • 10
  • 65
  • 107
chris
  • 412
  • 6
  • 13

1 Answers1

2
  1. If you are using an out of date version of PHP: Upgrade PHP or move to better hosting that has a newer PHP. Failing that: disable magic quotes in your PHP settings. Failing that as well: detect and undo magic quotes. Magic quotes were a terrible idea and have been removed from PHP.
  2. When inserting data into a database, use prepared statements and parameterized queries
  3. When inserting data into HTML, escape special characters (make sure the quote options are set correctly for the type of quotes you surround your attribute values with, the default is safe only for value="<?php echo ... ?>" and not if you use ' instead). For more complex scenarios, see the OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet.
Community
  • 1
  • 1
Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • php 5.3.3 This is trusted intranet app and we're not overly concerned with cross site scripting and sql injection. just want to store and retrieve form data without anything getting garbled. So you're saying i have to use parameterized queries and escape special characters and make sure to use right quotes etc? Apart from turning off magic quotes at top of code (easy part) what is an example set of statements to insert and retrieve a single form field with all chars intact. The php manual on escape special chars is a wonderful merry-go-round. Used to perl manual where things are definitive. – chris Oct 21 '12 at 23:31
  • "This is trusted intranet app and we're not overly concerned with cross site scripting and sql injection" — **be concerned**. People make typos. Perfectly good data can break SQL. Employees can get disgruntled. – Quentin Oct 22 '12 at 08:10
  • "So you're saying i have to use parameterized queries and escape special characters and make sure to use right quotes etc?" — Yes. "what is an example set of statements" — The links cover that. "The php manual on escape special chars is a wonderful merry-go-round" — If you are dealing with the scenario described in the answer, just call `htmlspecialchars` on the string you are inserting into the HTML document and insert the return value instead. – Quentin Oct 22 '12 at 08:14
  • The reason I ask is not because I'm lazy to read posts and the manual but I can't make sense of it all with just about every aspect of this being hotly contested. Even in the manual itself. Parameterizing should (mostly) take care of the SQL injection, whilst I will be making sure data is clean. I just don't want the answers going completely off the tangent in that direction. I'll have a look at htmlspecialchars next, thanks. – chris Oct 23 '12 at 22:50