2

I have a website where I can't use html_entities() or html_specialchars() to process user input data. Instead, I added a custom function, which in the end is a function, which uses an array $forbidden to clean the input string of all unwanted characters. At the moment I have '<', '>', "'" as unwanted characters because of sql-injection/browser hijacking. My site is encoded in utf-8 - do I have to add more characters to that array, i.e. the characters '<', encoded in other charsets?

Thanks for any help,

Maenny

Maenny
  • 119
  • 1
  • 12
  • 3
    Why can't you use htmlentities()? – Pekka Jul 13 '10 at 11:19
  • because it does weird things with kyrillic characters, which I want to be enabled for user input. – Maenny Jul 13 '10 at 11:22
  • have you tried using htmlentities() with the optional charset argument? – Mark Baker Jul 13 '10 at 11:28
  • You can't use htmlspecialchars with utf8 encoding? See the docs for encoding types: http://php.net/manual/en/function.htmlspecialchars.php – Ashley Jul 13 '10 at 11:32
  • well, yes I can use utf-8 with htmlentities, but when I do, in my DB, a word like Начало will show up as Явление абсолютного зла, which is kind of hard to read... So what i need is a possibility to have Начало saved in the way it is, and, at the same time, have no security issue... – Maenny Jul 13 '10 at 11:41

3 Answers3

1
  1. htmlentities nor htmlspecialchars functions has nothing to do with sql injection
  2. to prevent injection, you have to follow some rules, I've described them all here
  3. to filter HTML you may use htmlspecialchars() function, it will harm none of your cyrillic characters
Community
  • 1
  • 1
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • its true that htmlentities or htmlspecialchars have nothing to do with sql injection, that would be for browser-hijacking. Nevertheless, it seems like the problem I have really is a encoding problem, because all of the cyrillic characters are sent through POST and hereby converted to ampersand. I haven't found a way to convert ampersand to utf-8 characters, anyone has an idea for that? Maenny – Maenny Jul 13 '10 at 13:27
  • @Maenny html_entity_decode() is idea for that, but instead of constant decoding you have to do it only once and then stop encoding at all. – Your Common Sense Jul 13 '10 at 15:02
0

You should escape ", too. It is much more harm than ', because you often enclose HTML attributes in ". But, why don't you simlpy use htmlspecialchars to do that job?

Futhermore: It isn't good to use one escaping function for both SQL and HTML. HTML needs escaping of tags, whereas SQL does not. So it would be best, if you used htmlspecialchars for HTML output and PDO::quote (or mysql_real_escape_string or whatever you are using) for SQL queries.

But I know (from my own experience) that escaping all user input in SQL queries may be really annoying and sometimes I simply don't escape parts, because I think they are "secure". But I am sure I'm not always right, about assuming that. So, in the end I wanted to ensure that I really escape all variables used in an SQL query and therefore have written a little class to do this easily: http://github.com/nikic/DB Maybe you want to use something similar, too.

NikiC
  • 100,734
  • 37
  • 191
  • 225
-1

Put this code into your header page. It can prevent SQL injection attack in PHP.

function clean_header($string) { $string = trim($string);

// From RFC 822: “The field-body may be composed of any ASCII // characters, except CR or LF.” if (strpos($string, “\n“) !== false) { $string = substr($string, 0, strpos($string, “\n“)); } if (strpos($string, “\r“) !== false) { $string = substr($string, 0, strpos($string, “\r“)); }

return $string; }

PPShein
  • 13,309
  • 42
  • 142
  • 227