1

I have just read that PHP escapes incoming GET and POST requests on its own for some time. Double escaping does no good. Should I escape the strings at all?

For example I process a simple input like this:

$contact = mysqli_real_escape_string($dbLink, strip_tags($_POST['contact']));

Later, when saved and retrieved from the database I fill the input with last values, like:

echo '<input type="text" class="form-control" id="inputContact" name="contact" value="'.$contact.'">'.PHP_EOL;

When someone enters quotes in the field, it returns something like this, which destroys the form:

<input type="text" class="form-control" id="inputContact" name="contact" value="0900 123 456, jozefmat" ejkasdfadsf"="">
Viktor Sec
  • 2,756
  • 1
  • 24
  • 31
  • This could help http://stackoverflow.com/questions/129677/whats-the-best-method-for-sanitizing-user-input-with-php – drum Jul 14 '14 at 03:09

3 Answers3

1

I have just read that PHP escapes incoming GET and POST requests on its own for some time

This is magic quotes, they were always ineffective and more trouble then they were worth. They have been deprecated and modern versions of PHP do not support them at all.

Should I escape the strings at all?

Yes. You should perform suitable sanitization of untrusted data (either via escaping, white list filtering or some other suitable means) as is applicable for the place you are putting the data (which is different depending on if you are inserting it into a database query (search for SQL injection), an HTML document (search for XSS or Cross-Site Scripting) or somewhere else).

As you have noticed, the options you have available to do even within an HTML document vary - what is suitable for "Inside an element" is not always suitable for "Inside an attribute value" or "Inside a script element".

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • Well I'm inserting the data to database and then retrieving it and inserting it into html element as value - as I have shown in the above example. How should I correctly escape it? Thanks! – Viktor Sec Jul 06 '14 at 18:41
  • @user3804991 — You have to protect against SQL injection when you insert it into the database. When you take it out of the database you then have to protect it against XSS before you insert it into an HTML document. – Quentin Jul 06 '14 at 18:42
  • http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php – Quentin Jul 06 '14 at 18:43
  • Where is the distinction between untrusted and trusted data? – Gumbo Jul 06 '14 at 18:43
  • http://stackoverflow.com/questions/3129899/what-are-the-common-defenses-against-xss – Quentin Jul 06 '14 at 18:44
  • @Gumbo — See the definition of trust in an English dictionary. If I'm writing a web interface for system administrators to run raw SQL against a database, then I have to trust them to write SQL that can be just run (to some degree at least). If I'm writing a blog comment system where Joe Random Internet User enters any text they like, then I can't trust them to write code without SQL or JavaScript in it. (These are non-exhaustive examples). – Quentin Jul 06 '14 at 18:46
  • There is a huge difference whether you allow someone to specify the SQL command or to specify the parameter values used in a SQL command. But in the latter case, I wouldn’t distinguish between whether the parameter values came from the system administrator or an anonymous user. It doesn’t matter whether you consider the former ‘trusted’ and the latter ‘untrusted’. You as the developer has to ensure just one thing: that the passed values are only interpreted as value. – Gumbo Jul 06 '14 at 19:14
  • People tend to have problems with judging whether they can trust some data or not. It’s better to tell them to treat any data equivalently regardless of their origin. – Gumbo Jul 06 '14 at 19:15
0

It really depends upon what you are using the responses for and if you are manipulating them after.

For instance, if you are inserting the data into a DB then you should escape your data to prevent SQL injections. If you are just displaying the data then there should be no need unless you are displaying specific characters. But you can also exchange them for HTML entities

in the example you gave, you should escape them because that is how SQL injection works

JimmyBorofan
  • 147
  • 1
  • 13
-1

it depends.If your retrieving or sending anything to a database then yes you should escape characters to avoid mysql injection.But if its just dealing with the client side(browser) aspect then it wouldnt be a big deal

edwin cooper
  • 1
  • 2