Sanitizing Form Input for administrators

Question

In my site's administration area, I have been using mysqli_real_escape_string when retrieving form input that goes into the database. It works fine but I realize that it does not prevent script injections. I mean I can pass through scripts like:

<script>alert('hello');</script>

What do I use in addition to this to prevent a malicious admin from injecting some nasty stuff?

• htmlentities()?
• strip_tags()?
• htmlspecialchars()?

What is the proper way to sanitize form input in back-end forms where html is not required for input data? I am confused?

Answer 1

htmlentities() and htmlspecialchars() are used when you're outputting data. Encoding and escaping are different.

If you don't want HTML, my recommendation would be to use strip_tags() to clean it of any HTML tags and use html* when you're outputting the content.

Also, you might consider switching to MySQL PDO. This is a much more preferred and secure way of running your queries.

Answer 2

You should use htmlentities() .

Answer 3

The term you are looking for is Cross Site Scripting or XSS for short. Searching for that should give you plenty of resources, such as this question right here on StackOverflow.

Answer 4

The proper answer is highly dependent on your application.

Many administration systems need a way for admins to manipulate HTML. But some HTML is more dangerous than others.

As JohnP said, strip_tags() can be handy, since the second parameter allows you to explicitly allow certain, harmless tags (like or ), while stripping out anything else (like or )

If you need more sophistication than that, you'll need to do a more careful analysis and come up with a solution tailored to your needs. (Hint: If that solution involves using regular expressions to match HTML tags, you probably want to take a step back)

Answer 5

You can use magic_quotes function to sanitize if you're using php 4 or less php 5.2 or less.