0

So on my website I have a field for users where they can set a profile description of a max 100 letters. My problem is that they can use html for their profile description! I use a as input for their description and is put directly into the mysql database.

Here is the code for displaying their profile description

<div id="mid-profile-desc">
  <p><?php echo $userProfileDesc;?></p>
</div>

<!--String is just this from database: $userProfileDesc = $row["profiledesc"];-->

But with this users when setting their profile description they can use languages such as html,css,javascript,php & a lot more. They can also control my database with that.

So how can I disable users from using all of those? I could probably just ban the "<" and ">" letters but that is probably not safe either. Any good ways of doing this with it being safe as well?

Heine
  • 30
  • 5
  • 2
    1) Read up on [SQL injection and how to prevent it](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). 2) Learn how to sanitize your data, since you don't want others manipulating your site. – aynber Jan 26 '18 at 17:29
  • 1
    Learn about XSS and HTML escaping. – SLaks Jan 26 '18 at 17:30
  • 1
    You have an answer @Heine –  Jan 26 '18 at 17:31
  • For SQL injection I just use mysqli_escape_string which I have read that works? I definetely need to learn more about website security because the fact that people can literally delete my whole database right now just by using profile descriptions really scares me, I have turned off the function to change profile descriptions for now – Heine Jan 26 '18 at 17:32
  • No, read the post I linked. `mysqli_escape_string` is NOT safe. Using prepared statements and parameter binding is the safest way to prevent 1st level injection. – aynber Jan 26 '18 at 17:51

2 Answers2

2

The user input is currently displayed without filter. This means that, although people cannot use php code, they can insert any html tags or javascript into your website, and using xss attacks.

The solution for that is htmlspecialchars

<?php echo htmlspecialchars($userProfileDesc); ?>

It is generally not a problem to have unescaped html in your database, however you do need to worry about things like sql injections. Use parametrized queries to avoid those.

Stratadox
  • 1,291
  • 8
  • 21
  • Why are you encoding the output? – Levente Otta Jan 26 '18 at 17:32
  • Just to add a bit of followup to this answer. [`htmlspecialchars()`](http://php.net/manual/en/function.htmlspecialchars.php) will do the magic of preventing any html or scripts from running. See the documentation for more info. (Ideally, you should be using this method, along with storing the raw input from the user in the database) – Blue Jan 26 '18 at 17:33
  • @FrankerZ htmlspecialchars() in an encode function. This should be used bedore store. htmlspecialchars_decode() for decode the output. – Levente Otta Jan 26 '18 at 17:36
  • Oh, I thought they could use php too, then it's not as worse as I thought at least. I just tested using Hey' ?> which displayed like Hey,-> or something and when I think about it thats what it says when it doesn't work, but thank you I will add the htmlspecialchars and check it out – Heine Jan 26 '18 at 17:38
  • @LeventeOtta You can encode for output. – Blue Jan 26 '18 at 17:39
  • @FrankerZ So are you allow store SQL quiery without encode the string? – Levente Otta Jan 26 '18 at 17:41
  • @LeventeOtta If you're not binding parameters to your SQL query (Which is much more preferred), then you should be escaping your data for the query string. – Blue Jan 26 '18 at 17:44
  • @FrankerZ I do, and frameworks do. But usually plain php projects aren't prepared for such interventions. – Levente Otta Jan 26 '18 at 17:49
  • @LeventeOtta They wouldn't have created the php functions, if plain php projects weren't supposed to use them. – Blue Jan 26 '18 at 17:49
  • 1
    @LeventeOtta In general, I only escape for the current output target. There is little to no added value in escaping html before it goes into the database - the database does not parse html so it has nothing to fear from some html tags. Instead, databases can be harmed through sql injections: to prevent that we use parametrized queries. – Stratadox Jan 26 '18 at 17:50
1

First: Use htmlspecialchars before store, and decode before output.

Second: Use PDO - statement sql queries.

Levente Otta
  • 713
  • 6
  • 17