0

I want to know if the way I'm escaping quotes is the best or if it can be enhanced.

Visitors can submit text which is stored in database and then displayed in another page. Simple enough. I use PDO prepared statements to store in a database:

$sql = "INSERT INTO inscriptions (
            name,
            surname,
            comments
            )
            VALUES (
                :name,
                :surname,
                :comments
            )";     

$req = $db->prepare($sql);

$req->execute(array(
    ':name' => $name,
    ':surname' => $surname,
    ':comments' => $comments
));

This, I got it, it's the following part that cause me questionning:

Then to display it, I use htmlentities to prevent quotes and javascript to interfer with the code. I also use array_walk_recursive (or array_map depending on the case) to automise the escaping.

<?php function escaped(&$item)
{
    $item = htmlentities($item);
}

$sql = "SELECT *
        FROM master_table";
$req->execute(); 
$req = $db->prepare($sql);
while($row=$req->fetch()){
    array_walk_recursive($row, 'escaped'); ?>

    <p><?php echo $row["comments"]; ?></p>
    <form action="supp.php" method="post" onsubmit="return confirm('Do you want to delete <?php echo $row["surname"].' '.$row["name"]; ?> comment ?')">
        <input type="hidden" value="<?php echo $row["id"]; ?>" name="idcom" />
        <input type="image" alt="Delete" src="trash.png"/>
    </form>
    <?php } ?>

(This code is used to delete a comment with an alert before doing so, hence the importance of escaping because the name is used in the alert)

This code works fine, but I wanna if I'm doing escaping the right and secure way.

If something seems unclear in my post, please comment it so I can modify it.

Thanks !

Edit: Not asking about SQL Injection but Javascript, tag and quotes users could put on a field.

Gawet
  • 195
  • 3
  • 15
  • Looks fine for me, you could also reduce the risk of malicious input by limiting the allowed characters for each field, I think normal people wont try to use `>`, `<` and `,` or other special chars in their username or other personal info. – Code Spirit Apr 29 '19 at 13:55
  • "javascript injection"? – Jay Blanchard Apr 29 '19 at 13:56
  • Please have also a look at https://www.php.net/manual/en/security.database.sql-injection.php maybe you can find there things that you have forgotten – Buh13246 Apr 29 '19 at 13:56
  • I think the question asks id uer the correct approach to prevent a store XSS attack. – Dimitrios Desyllas Apr 29 '19 at 13:57
  • Okay, i may be not be clear. I'm asking for the SELECT part mostly. PDO prepared statements work fine – Gawet Apr 29 '19 at 13:58
  • 1
    Well if you are asking for XSS & javascript Injection then alongside with `htmlentities` use and the `strip_tags` as well. With that you make the input plaintext only. In case that you need html input (eg. input from tinymce editor) then solutions as (html purifier)[http://htmlpurifier.org/] do the job. In case of a – Dimitrios Desyllas Apr 29 '19 at 14:01
  • 1
    Don't know whether [HTMLPurifier](http://htmlpurifier.org/) is still an active project but that *should* be able to clean your HTML/JS on output to mitigate XSS. – CD001 Apr 29 '19 at 14:04
  • 1
    Also for questions like that use: https://codereview.stackexchange.com/ ;) (I mean having a working piece of code but still not sure whether logically has been implemented correctly.) – Dimitrios Desyllas Apr 29 '19 at 14:04
  • Hey thanks Dimitrios, didn't know this existed ! – Gawet Apr 29 '19 at 14:05

0 Answers0