3

When I post html, js, css tag, rule, syntax's on text input. it show's up on page result!
I user $conn->real_escape_string and mysqli prepared statement but still not secure for me.

my code is:

<?php
   require 'config/config.php';
   mysqli_set_charset($conn,"utf8");
$qmsg = $_POST["qsmsg"];
$qmsgs = mysqli_real_escape_string($conn, $qmsg);
$ansr = "Answer";
$userName = "John";
$userId="4";
$userType="user";
$imgsp="images/avatar.jpg";

$stmt = $conn->prepare("INSERT INTO qa (qus, ansrq, uname, uid, utype, uimage) VALUES (?, ?, ?, ?, ?, ?)");
$stmt->bind_param("sssiss", $qmsgs, $ansr, $userName, $userId, $userType, $imgsp);
...
$stmt->close();
$conn->close();
?>

Result on my page:
enter image description here

SchoolforDesign
  • 423
  • 5
  • 14
  • 2
    You're using placeholder values, which is great, but you're also escaping, which is a mistake: That double-escapes things and damages data. Only use placeholder values and `bind_param`. – tadman Sep 06 '18 at 23:29
  • @tadman could you explain your comment by using code for me, please. – SchoolforDesign Sep 06 '18 at 23:35
  • 1
    Remove the line with `mysqli_real_escape_string`, it doesn't belong and it's going to wreck your data. – tadman Sep 06 '18 at 23:35
  • @tadman something like this: `$qmsgs = $qmsg;` ? – SchoolforDesign Sep 06 '18 at 23:37
  • 1
    That just creates a variable that's a copy of another, so that's redundant. Just pass `$qmsg` into `bind_param` and you're good to go. – tadman Sep 06 '18 at 23:38
  • 1
    $qmsg = htmlspecialchars($_POST["qsmsg"]); – Tony Sep 06 '18 at 23:39
  • @tadman this also work: `$qmsgs = htmlspecialchars(mysqli_real_escape_string($conn, $_POST["qsmsg"]));` ? or bad idea ? – SchoolforDesign Sep 06 '18 at 23:43
  • 2
    Don't pre-escape, you have no idea where that data is going to end up. What if you update your application to send that over JSON? Then you need to de-escape it, then re-escape it for JSON. That's super messy. General rule: Escape it *only* when you're displaying it, not saving it. – tadman Sep 06 '18 at 23:45
  • 1
    You're right. thank you – SchoolforDesign Sep 06 '18 at 23:47
  • 1
    @Tony no, that's a bad idea. See [Using htmlspecialchars function with PDO prepare and execute](https://stackoverflow.com/questions/38411112/using-htmlspecialchars-function-with-pdo-prepare-and-execute) – Phil Sep 06 '18 at 23:49
  • @Phil I'm not using PDO, I'm using MySqli. – SchoolforDesign Sep 07 '18 at 00:01
  • 2
    @SchoolforDesign read past the specifics. _"Filter input / escape output"_ is a general idea and not one tied to any particular technology. – Phil Sep 07 '18 at 00:03

1 Answers1

4

This is an XSS problem, not a database or CSS problem.

The quick answer is you must call htmlspecialchars on any user data that you're displaying in an HTML context. That will neutralize any HTML a user's introduced either deliberately or by accident.

The long answer is people like to be able to put in some formatting, so consider using something like Markdown so you can type things like *bold* and _italic_ and not have to write actual HTML. There are many, many PHP implementations of this readily available.

tadman
  • 208,517
  • 23
  • 234
  • 262