-5

I am new in PHP.

I use two ways to escaping string:

method 1. by using replace

function htmlreplace($str, $useBR = false) {
    $str2 = $str;
    $str2 = preg_replace ( "/</", "&lt;", $str2 );
    $str2 = preg_replace ( "/>/", "&gt;", $str2 );
    $str2 = preg_replace ( "/(\r\n|\n|\r)/", $useBR ? "<br />" : " ", $str2 );
    $str2 = preg_replace ( "/&/", "&amp;", $str2 );
    $str2 = preg_replace ( "/\'/", "&#39;", $str2 );
    return preg_replace ( "/\"/", "&#34;", $str2 );
}
$string='some string needs to insert into mysql';
stripslashes(htmlreplace($string));

method 2. After connecting to MySQL

function sanitizeString($var, $DBconnection) {
    $var = strip_tags ( $var );
    $var = htmlentities ( $var );
    $var = stripslashes ( $var );
    return $DBconnection->real_escape_string ( $var );
}
$string='some string needs to insert into mysql';
trim ( sanitizeString ($string) );

From SQL Injection Prevention Cheat Sheet

shows these characters need to escape

NUL, BS, TAB, LF, CR, SUB, %, ', \, _, all other non-alphanumeric characters with ASCII values less than 256

From PHP addslashes

shows addslashes() function will escape these characters: single quote ('), double quote ("), backslash () and NUL (the NULL byte)

As far as I know, escaping is for prevent SQL injection.

So I am curious about how many characters need to be escaped? what are they? Are they all Special Characters in HTML?

As for SQL injection prevent, thanks to Slico, Marc B, and bub help.

Thanks!

Autodesk
  • 631
  • 8
  • 27
  • 3
    Why don't you just use PDO with prepared statements? There is a [nice post](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1) on SO regarding SQL injections – B001ᛦ Jul 05 '16 at 16:18
  • 4
    No. You don't "blacklist" characters. If anything ever changes, your list will be obsolete and allow problems. This is exactly the **WRONG** way of preventing sql injection. You don't allow it to happen in the first place by using the tools properly: prepared statements with placeholders. Then you don't have to worry AT ALL about what chars MIGHT be malicious, and let the DB itself do all the worrying for you. – Marc B Jul 05 '16 at 16:41
  • HTML really doesn't have much to do with SQL injection anyway. – Don't Panic Jul 05 '16 at 16:48
  • 3
    SQL Injection is *always* a big issue @Chay22 – Jay Blanchard Jul 05 '16 at 18:13
  • 1
    thank you @bub ,I will using it. – Autodesk Jul 07 '16 at 04:32
  • @MarcB thanks for explain prepared statements to me:) – Autodesk Jul 07 '16 at 04:36
  • 1
    @JayBlanchard you are right! SQL Injection is always a big issue! – Autodesk Jul 07 '16 at 04:49
  • 1
    @Chay22 really dangerous way of thinking... – B001ᛦ Jul 07 '16 at 07:41

1 Answers1

1

From OWASP take a look at this link:

Primary Defenses:

  • Option #1: Use of Prepared Statements (Parameterized Queries)

  • Option #2: Use of Stored Procedures

  • Option #3: Escaping all User Supplied Input

Additional Defenses:

  • Also Enforce: Least Privilege
  • Also Perform: White List Input Validation
Slico
  • 436
  • 2
  • 16