-1

Is there an alternative to mysql_real_escape_string for PHP. I want to remove any javascript or php code entered into the text box.

Pupil
  • 23,834
  • 6
  • 44
  • 66
X10nD
  • 21,638
  • 45
  • 111
  • 152
  • strip_tags will be an option – GautamD31 Oct 30 '14 at 09:25
  • 2
    `mysql_real_escape_string` is not designed for removing JS or PHP code ... What do you want to do? Escape data before putting in the database? Or strip JS/PHP code? – Martin Tournoij Oct 30 '14 at 09:26
  • Answered here: http://stackoverflow.com/questions/1162491/alternative-to-mysql-real-escape-string-without-connecting-to-db – Krisztian Tabori Oct 30 '14 at 09:26
  • 2
    @AresDraguna I did contact Larry Page, who apparently is a very good friend of mine. He said though Google gives you results, its good if you get user-level which gives me more hands on. – X10nD Oct 30 '14 at 09:28
  • @X10nD I don't care who your friends are, your question does not respect SO guidelines for asking questions and there are so many alternatives to `mysql_real_escape_string` that you can fairly call this an opinion based question. – Ares Draguna Oct 30 '14 at 09:31
  • I'm a bit confused about what you're asking for. It's going to be damn near impossible to filter out any PHP or JS code, but unless you're eval'ing it or putting it in – rjdown Oct 30 '14 at 09:32
  • @rjdown I dont want anyone entering any javascript or php code in a text box. Ofcourse I could check on sql commands with mysql_real_escape. – X10nD Oct 30 '14 at 09:36
  • 1
    @X10nD tell me... how come you have 4k rep and still don't know how to ask questions on SO? – Ares Draguna Oct 30 '14 at 09:39

4 Answers4

7

That's not what mysql_real_escape_string does or did (the functions are now deprecated). An alternative to mysql_real_escape_string is using prepared statements, for example with PDO or MySQLi.

However, that's completely unrelated to stripping Javascript or PHP code from a string - also; it could be relatively hard to identify 'Javascript' or 'PHP'.

The real question here is; why do you wanna strip it? The danger doesn't reside in saving the data, the danger resides in displaying the data. You should never ever execute code entered by the user, be it Javascript or PHP.

As for Javascript, disallowing HTML tags in your output is enough. Look into functions as strip_tags, or even better, htmlspecialchars. Preventing PHP from execution is even easier; just do not use the method eval.

Sherlock
  • 7,525
  • 6
  • 38
  • 79
  • So which is better htmlspecialchars or strip_tags? – X10nD Oct 30 '14 at 09:31
  • It depends on your needs. strip_tags strips all tags (HTML and PHP), which leaves you with a malformed string. html_special_chars enables you to display user-entered data, without the risk of Javascript being executed. – Sherlock Oct 30 '14 at 09:33
  • So if I echo(htmlspecialchars(strip_tags(string)); it might just work out good? – X10nD Oct 30 '14 at 09:34
  • 1
    It's either htmlspecialchars() or strip_tags(). The combination is redundant. I'd go for htmlspecialchars(). – Sherlock Oct 30 '14 at 09:34
  • why would it be redundant since each have different properties. – X10nD Oct 30 '14 at 09:37
  • It's redundant in the sense that strip_tags isn't necessary if you use htmlspecialchars. htmlspecialchars may indeed still be necessary if you use strip_tags, because it escapes characters that have significance in HTML (such as '<', without it being part of a tag). – Sherlock Oct 30 '14 at 09:40
0

mysql_real_escape_string is a function that ensures that your string is correctly escaped for entering into the database. What goes into the database is exactly what you started with.

Anything that removes or changes the string will not be an alternative to mysql_real_escape_string. In other words, it will change the string, not escape it.

If you want to change the string you are storing, you can run it through strip_tags, or preg_replace.

But (if it's appropriate to your situation), consider instead running the string through htmlspeciachars after retrieving from the db, before displaying it.

Chris Lear
  • 6,592
  • 1
  • 18
  • 26
0

mysql_real_escape_string is used to avoid SQL injection attacks - where by people try to execute SQL commands against your database. You still need to use this - (or move to PDO prepared statements etc).

mysql_real_escape_string is not meant as a way to sanitize user input (e.g html, javascript) which would make your site open to XSS attacks. For that I would recommend Html Purifier.

Peter
  • 36
  • 2
-1

You can use strip_tags() - it will delete all html tags, including javascripts.

Rikudou_Sennin
  • 1,357
  • 10
  • 27
  • 1
    Can someone tell me, why the downvotes? He asked how to remove code from text, which is exactly what strip_tags does. – Rikudou_Sennin Oct 30 '14 at 09:35
  • I didn't downvote this, but I agree with them. strip_tags removes html tags. it doesn't remove javascript (unless it's in script tags), or php (even if its in php tags). – rjdown Oct 30 '14 at 09:50