Do I need to `htmlspecialchars()` when I read PHP Session?

Question

Do I need to use htmlspecialchars() before I send PHP Session into MySQL query?

Can some evil hacker create sessions on his machine with a dangerous SQL injection in it??

Its safer to filter all data going into SQL queries. Even though it might be coming from a session, it may have originated from user input. `htmlspecialchars` is not the right function to filter most sql input. — datasage, Jan 24 '13 at 17:39
See also: http://stackoverflow.com/questions/7616265/session-injection — Antony, Jan 24 '13 at 17:41

score 4 · Accepted Answer · edited May 23 '17 at 12:27

4

No.

You use htmlspecialchars() before you put text into HTML. (Trusted HTML you put straight into HTML. Untrusted HTML you run through a whitelist). That is a defence against XSS.

It is SQL injection that you have to worry about when putting data into an SQL query. Since session data contains only what you put into it in the first place, if you take any measures to defend against SQL injection, then they will depend on what data you put into the session.

As a rule of thumb, any variable being put into a query should be inserted using bound variables and not string concatenation.

edited May 23 '17 at 12:27

Community

1
1

answered Jan 24 '13 at 17:40

Quentin

914,110
126
1,211
1,335

Is it possible that someone may spoof session at the client side? – ShuklaSannidhya Jan 24 '13 at 17:56
1

Sometimes it is possible to take over someone else's session, but never (baring other security holes) to add arbitrary data to it. – Quentin Jan 24 '13 at 19:36

Do I need to `htmlspecialchars()` when I read PHP Session?

1 Answers1