3

I have let the user enter some information (name, date of birth etc). Then I have to insert these values to the database. Should I use mysql_real_escape_string() to prevent a mysql injection and htmlspecialchars() to handle the html tags, are both of them needed or will one of them do?

If I should use just one of them, then which one? If I should use both, then which one first and which one last?

Ryan
  • 9,821
  • 22
  • 66
  • 101
Harshad
  • 33
  • 1
  • 11
  • 2
    You are conflating input encoding and output encoding - in short, `mysql_real_escape_string()` = encoding data going into the database (which isn't necessary as current "best practice" is to use parameterised queries) and `htmlspecialchars()` is output encoding for when displaying content back to the user. Output encoding is definitely neccessary. I recommend various OWASP cheatsheets/resources as further reading. – kwah Jun 18 '13 at 12:11

2 Answers2

5

Should I use mysql_real_escape_string to prevent the mysql injection

No. Use prepared statements and parameterized queries. This will require you to stop using the obsolete mysql_* library in favour of something more modern (like PDO).

and htmlspecialchars to handle the html tags both or one of them can do the work?

Use htmlspecialchars to protect against XSS attacks when you insert the data into an HTML document. Databases aren't HTML documents. (You might later take the data out of the database to put it into an HTML document, that is the time to use htmlspecialchars).

Community
  • 1
  • 1
Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
1

No mysql_real_escape_string()! You should use PDO. It uses prepared statements, which will not be vulnerable to injection attacks because MySQL is given the unparameterized SQL first and then given the data to plug in.

For example:

$dbh = new PDO();
$stmt = $dbh->prepare('INSERT INTO data (something) VALUE(:userInput)');

// No mysql_real_escape_string necessary
$stmt->execute(array(
    ':userInput' => $_POST['userInput']
));

htmlspecialchars() shouldn't be used on all input, but it should be used! Although typically applied after data is retrieved from the db (although, it might be a good idea to do it before in case it is forgotten afterward), it is useful for user input that you will be echoing into your HTML pages. It protects you against XSS (Cross Site Scripting) attacks, in which a malicious user can add <script> tags that contain malicious code into an input field on your site. When other users visit the page on which this malicious user posted, their browser will interpret the evil scripting, which could do things such as steal session ids or attempt CSRF (Cross Site Request Forgery).

Bottom line: You should use it before echoing any user content to your pages. Unless that content has been validated by a rigorous filter (like one for birthdates which only accepts mm/dd/yy). If you're unsure, then use it anyways. It won't hurt. It will only help!

Further Reading:

Community
  • 1
  • 1
Bailey Parker
  • 15,599
  • 5
  • 53
  • 91