2

I'm wonding if the HTML code below (in conjunction with htmlspecialchars when processing) is enough to prevent SQL Injection:

<input name="email" type="email" required id="email" placeholder="Your Email Address" title="Valid email required" autocomplete="on" maxlength="50">

Will this prevent dangerous manipulation of variables as long as I use htmlspecialchars before sending it to my database? Or is there a workaround a hacker could use to enter whatever format they want?

I will be using prepared statements and bound params. My concern is if someone uses an older browser or device, will the HTML validations like "required" or type="email" still work. Could someone bypass them somehow? I need to know for error handling in my php code when I go to process this before sending to database... I think... Sorry, I'm kinda new to this so I hope I'm making sense.

Nate Loder
  • 40
  • 5
  • use mysqli_real_escape_string before sending it to db — Escapes special characters in a string for use in an SQL statement, taking into account the current charset of the connection http://php.net/manual/en/mysqli.real-escape-string.php – CY5 Apr 17 '16 at 19:24
  • See http://stackoverflow.com/questions/162159/javascript-client-side-vs-server-side-validation - client validation as done by browsers is never enough. It just helps the user by not needing to send incomplete or bad data to the server, saving on data and round-trip time. However, you cannot trust the client to do what the server expects. The user or browser can do anything they want. – Arc Apr 19 '16 at 00:26

1 Answers1

1

You can add your value to on your database with bind parameters.

You have to take a look Bind Params with PDO. It will be more secure than execute query with variables.

Also you can use Xss Cleaner for showing result from your database. This function a little bit faster than htmlspecialchars.

merdincz
  • 427
  • 4
  • 16
  • Thanks, and yes I will be using prepared statements and bound params. My concern is if someone uses an older browser or device, will the HTML validations like "required" or type="email" still work. Could someone bypass them somehow? I need to know for error handling in my php code when I go to process this before sending to database... I think... Sorry, I'm kinda new to this so I hope I'm making sense. – Nate Loder Apr 17 '16 at 19:30
  • 1
    Yes. Hackers can pass easly html or javascript validation, also you can do that too. For example open your web page and change email property with text on chrome or firefox inspect element tool. So your browser won't check if it's email or not. If you are making any kind validation on client side also you should make your server side too. For example if your form have any input element with email option so you should add on your php side a function like filter_var($_post["email], FILTER_VALIDATE_EMAIL)) – merdincz Apr 17 '16 at 19:36
  • 1
    There is no problem to create custom HTTP Requests with a program like Fiddler or a browser plugin, or netcat for Linux. Browser validation is just for user experience, so the user won't accidentially post anything wrong. You have to validate data at server side as well. – Jan Sverre Apr 17 '16 at 19:38
  • @merdincz -Okay, that's exactly what I was looking for, thanks! I'm familiar with FILTER_VALIDATE_EMAIL. I just wondered if I needed to use it or not when the HTML is supposed to do that in the form before accepting submission. This helps a lot! Thanks again! – Nate Loder Apr 17 '16 at 19:40
  • While FILTER_VALIDATE_EMAIL is probably better than code written by most developers, it is flawed as it rejects some e-mail addresses in practice, e.g. IDN (domain names with non-ASCII Unicode characters) or some rare but valid syntax, depending on your PHP version. Just keep this in mind. – Arc Apr 19 '16 at 00:30