How to accept only certain special characters while accepting a location address in PHP?

Question

I want to accept an address of a place and enter it into my database. If I send the address as a parameter to the following function it would remove all initial and end spaces along with all special characters

 public function sanitizeString($string){
        $sanitized_string = htmlentities(mysqli_real_escape_string($this->conn, trim($string)));
        return $sanitized_string;
    }

But as we know in addresses like

1/A Grand Trunk Road, Kolkata - 31

there are a few special characters like '/', '-', ',' which has to be accounted for.

I basically want to store the address of certain places in my database and convert them to latitudes and longitudes using Google Maps GeoCoding API and use markers to mark them on a Google Map.

Can anyone suggest me a way on how to sanitize the address keeping certain special characters intact or some other way to store addresses of places ?

EDIT

For those asking, I do use PDO prepared statements when dealing with database queries. Here is an instance

public function getUserByEmailAndPassword($email, $password){
        $stmt= $this->conn->prepare("select * from users where email= ? and status=1");
        $stmt->bind_param("s", $email);

        if($stmt->execute()){
            $user= $stmt->get_result()->fetch_assoc();
            $stmt->close();
            return $user;
        }
        else{
            return NULL;
        }
    }

But before I pass the $email as a parameter, I am sanitizing it using mysqli_real_escape_string which I probably do not need to do, because prepare and bind_param takes care of sql injection I think.

'/', '-', ',' are not special characters in this context. qequesque - https://github.com/search?l=php&q=mysql+sanitize&type=Code&utf8=%E2%9C%93 — strangeqargo, May 28 '16 at 22:04
But all ASCII punctuations and symbols are special characters, they may not be in this context but if I sanitize the string it will remove all special charaters — Surya Sekhar Mondal, May 28 '16 at 22:11
Don't do htmlentities before inserting data into a database; use it when you're displaying data, not when storing it — Mark Baker, May 28 '16 at 22:12
@CodeRabbit, no, not all ASCII punctuation and symbols are special characters, why should they be special? http://stackoverflow.com/questions/1086918/what-characters-have-to-be-escaped-to-prevent-mysql-injections — strangeqargo, May 28 '16 at 23:09
as @MarkBaker says, sanitation like htmlentities should only be used for output, otherwise you will lose/alter possibly valuable data that a non malicious user has inserted. — Webeng, May 28 '16 at 23:11
Check this. Possible duplicate of http://stackoverflow.com/questions/18912959/google-geocode-not-working-for-addresses-with-special-characters-from-database — Android Enthusiast, May 29 '16 at 11:23

score -1 · Answer 1 · answered May 28 '16 at 22:07

-1

As a general rule, when using PDO, you don't try to sanitize the values WHEN INSERTING into the database. We have prepared statements and parameter binding options to prevent sql injection

Now when you actually use the information stored in the database (which could contain malicious code), you always use the function htmlspecialchars() when you echo anything. For example:

//if you obtained the info from your database as follows:
$row = $stmt->fetch();

//then you can output it as follows:
echo htmlspecialchars($row['address']);

and your code will be protected both for sql injection (if you used prepared statements and binding parameters when inserting the information initially into the datbase) and for XSS with the function htmlspecialchars()

answered May 28 '16 at 22:07

Webeng

7,050
4
31
59

okay so it doesnt matter what is being inserted into database, only when I fetch it should I do htmlentities ? – Surya Sekhar Mondal May 28 '16 at 22:14
It's not that it "doesn't matter", the real question is at what time do you sanitize your information. Previously, before prepared statements existed, users would have to sanitize input because that was the only way to prevent sql injection, however the problem there was that you didn't have the "raw" data the users (that were not malicious) actually placed. So basically yes, as long as you are sanitizing the input "when it is used", you are better of inserting the raw data into the database as long as youuse techniques to protect urself against sql injection . – Webeng May 28 '16 at 22:51
@Webeng PDO? re-read author's post, please. Does he mention PDO? – strangeqargo May 28 '16 at 23:05
@strangeqargo I have already read his post. He doesn't mention which method he uses to query the database. Since PDO is by far the most recommended method due to its safety, many of the top users on stackoverflow take an extra effort in reinforcing to use this method, and I adopt that strategy as well. If he is not using PDO, I recommend he uses it. – Webeng May 28 '16 at 23:08
1

He mentions mysqli. If you suggest him to switch to PDO, do this clear and obvious, please. With an example, preferrably, so he couldn't have idea that "okay so it doesnt matter what is being inserted into database" – strangeqargo May 28 '16 at 23:11
also @Webeng I suggest you to remove closing ?> from your bio, because google it yourself – strangeqargo May 28 '16 at 23:16
@CodeRabbit he does not know what he's talking about. You're inserting data with mysqli, he suggests you to read data from database using pdo. – strangeqargo May 28 '16 at 23:50
@CodeRabbit As I mentioned in my posts, he should convert to PDO, and yes I do know what I'm talking about, strangeqargo is just being rude. If he actually thinks that what I said above for PDO is not valid, he should be taking classes since he is behind in his programming theory. – Webeng May 28 '16 at 23:58
I don't think @strangeqargo is being rude. His objection to your answer is perfectly valid. OP asks a question and you start off with implying (but not even stating it flat out) that he should switch to PDO for completely unknown reasons because "top users" do it. He's using mysqli with prepared statements, your answer is misleading in making him think A) his current solution doesn't work and B) PDO magically has advantages over mysqli without providing a single example of why he should switch. – kb. May 29 '16 at 07:29
Guys can someone please answer my query without any scuffles – Surya Sekhar Mondal May 29 '16 at 07:43
@CodeRabbit You don't need to use `mysqli_real_escape_string`. It won't have any affect because you are already protected from sql injection. I would recommend you don't use `mysqli_real_escape_string`, but to use `htmlspecialchars` when you retrieve the value from the database and echo it out. I'm sure the others here would recommend the same. – Webeng May 29 '16 at 08:09
@Webeng , considering author's edits to his post, please, edit your post so it mention that mysqli_real_escape string should not be used with PDO, because it's two unrelated extensions, more than that, mysql_real_string should throw notice without resourceLink parameter. // I'm sorry if I was rude, and I'll gladly upvote your edited answer. – strangeqargo May 29 '16 at 11:00

How to accept only certain special characters while accepting a location address in PHP?

1 Answers1