0

I am trying to learn and better understand how to properly prevent sql injection and properly extract database information to show in a website.

I am currently using mqli_real_escape_string but the problem is when I extract the data there is a slash where the user may have entered an apostrophe or a quote, such as O'Connell, etc...

If I use a function to remove slashes, it defeats the purpose of using the mqsli_real_escape_string.

What is the proper way to prevent injection while allowing usage of apostrophes where necessary?

MySql

$name = mysqli_real_escape_string($link, $_POST['commentName']);
$comment = mysqli_real_escape_string($link, $_POST['commentMessage']);
$BID = mysqli_real_escape_string($link, $_POST['BID']);

HTML/PHP

<div class="uname"><?php echo $name ?></div>
<div class="comment"><p><?php echo $comment ?></p></div>
SteveMills04
  • 119
  • 8
  • Take a look at prepared statements: http://php.net/manual/en/mysqli.prepare.php If used properly, it's all you'll need against SQL injection. – icecub Mar 27 '15 at 02:00
  • @icecub Almost. Let's not leave XSS injection out of the equation ;-) – Funk Forty Niner Mar 27 '15 at 02:01
  • @Fred-ii- As I said.. agains SQL injection :P Though admittedly I'm not very formilliar with XSS injection. – icecub Mar 27 '15 at 02:02
  • You should only use SQL escaping when you're putting the input into the database. You shouldn't use it when you're displaying it on the web page. In that case you should use `htmlentities`. – Barmar Mar 27 '15 at 02:03
  • @icecub Have a look at http://stackoverflow.com/questions/1996344/is-preventing-xss-and-sql-injection-as-easy-as-does-this – Funk Forty Niner Mar 27 '15 at 02:04
  • @Fred-ii- for that I was considering using a HTML Purifier, would that solve most of the risks? – SteveMills04 Mar 27 '15 at 02:04
  • @SteveMills04 There's a page talking about it on Stack http://stackoverflow.com/questions/28709474/issue-about-xss-attack-and-sql-injection – Funk Forty Niner Mar 27 '15 at 02:05
  • @Fred-ii- Thanks that clears it up. – icecub Mar 27 '15 at 02:06

0 Answers0