1

Strings can be escaped in php before inserting them into database. But what happens, if an user of my website enters a php code?

For eg. An user submits the following to a form, which escapes the string and inserts the data into my database.

Hello! <?php echo 'this is evil'; ?>'

Then this php line will be stored in the database. And when I display the content, it will be converted into this :

<div>Hello!<?php echo 'this is evil'?></div>

Isn't this a potential security risk? As the php code can be very malicious?

Does this mean I have to use strip_tags on every user input?

Abhishek Goyal
  • 867
  • 1
  • 7
  • 21
  • You should sanitize user input no matter what, but no, that would not run. I'd replace `<>` with their respective `html_entities` however. – Cyclone May 11 '14 at 03:58
  • Should I use `htmlspecialchars` when displaying the content? Also, why won't the above php code work? It should echo correctly if I echo the content to a div right? – Abhishek Goyal May 11 '14 at 03:59
  • Nevermind, I got it. The php code gets echoed, so it won't be interpreted. – Abhishek Goyal May 11 '14 at 04:08
  • PHP cannot be nested. `" ?>` will output ``, not `foo`. – Marc B May 11 '14 at 04:38
  • @MarcB Yes I got that bit, but now I don't know which answer to accept as they're all almost the same lol – Abhishek Goyal May 11 '14 at 04:39
  • Have a look at [my answer to *Preventing code injection without limiting user input?*](http://stackoverflow.com/a/23501225/53114) – Gumbo May 11 '14 at 06:27

3 Answers3

2

No It's not risky since php does not interpret the code and actually you don't use eval for this values so it will be shown as a plain text.

Now the thing is you should validate user's inputs. for example if this is an input for firstname, no one's name contains < or ?. so you can use Regexp to validate values.

Or you should print htmlentities of the value instead of raw value.

Mohebifar
  • 3,341
  • 1
  • 24
  • 32
  • I see. So the php code does not get interpreted because it's being echoed right? Just like when we echo html code? I use the `&` prefix for some functions on my website. I hope htmlentities will not remove that? – Abhishek Goyal May 11 '14 at 04:06
  • 1. Yes. It's just like echoing HTML. 2. It will transform `&` to `&` – Mohebifar May 11 '14 at 07:23
-1

That PHP code won't run but you have to validate userr form data before submitting it in database

replace all "<" and ">" to &lt and &gt respectivly

$data = str_replace("<","&lt",$data);
$data = str_replace(">","&gt",$data);

this also help if user try to insert some javascript into your code

ashishmaurya
  • 1,196
  • 10
  • 18
-1

you have to add anti injection function, such as mysqli_real_escape_string() or htmlspecialchars() or addslashes() to your data that have submited by users

user3586378
  • 38
  • 7
  • I have done that since the starting. I was just confused whether php code will work in it. – Abhishek Goyal May 11 '14 at 04:04
  • -1, **NO!** `mysqi_real_escape_string` and `htmlspecialchars` are **not** the same thing and [should be used only in the correct area of your code](http://stackoverflow.com/a/3126175/168868). – Charles May 13 '14 at 01:09