0

I'm using PDO with prepared statements in my code and I would like to know how to better output my data because I'm also using a WYSIWYG editor. Using strip_tags, htmlentities or htmlspecialchars are not displaying text styles properly.

Here is the code to input data to the database: 

$sql    = "INSERT INTO posts(post_title, post_content, post_author, post_category, post_tags, post_image)";
                $sql   .= "VALUES(:title, :content, :author, :category, :tags, :image)";
                $stmt   = $dbConn->prepare($sql);
                $result = $stmt->execute([
                    ':title'    => $postTitle,
                    ':content'  => $postContent,
                    ':author'   => $postAuthor,
                    ':category' => $postCategory,
                    ':tags'     => $postTags,
                    ':image'    => $imageFullName
                ]);
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
Pitshou
  • 23
  • 5

1 Answers1

3

This built-in functionality you are requesting will be difficult to get. They are many work arounds

1.) you can use external library like like htmlpurifier http://htmlpurifier.org/

2.) use of strip_tags()

you can use strip_tags() to allow certain tags tob passed while stripping out other html dangerous tags

Eg to allow only <h1> and <b> while stripping out other tags you can do this

$text_strip = '<h1>Am nancy.</h1><div>hhhh</div> <b>Mooree</b> <a href="">remove me</a>';
// Allow only <h1> and <a>
echo strip_tags($text_strip , '<h1><b>');

see list of data filtering method available data filtering: https://www.php.net/manual/en/book.filter.php

3.) use of FILTER_SANITIZE_STRING()

You can also use FILTER_SANITIZE_STRING() to filter out dangerous text inputs

echo filter_var ($text_text, FILTER_SANITIZE_STRING);

see list of all available sanitization methods sanitization: https://www.php.net/manual/en/filter.filters.sanitize.php

An Updates

one more thing. You can still be vulnerable to sql injection attack even if you are using pdo. This because the pdo performs sanitization by emulation of deprecated mysql_real_escape_string() function. you will need to force pdo to disable emulation and use direct prepared statements. i will update my answer

To resolve this issue see code below for database connections. charset is set to utf8

$db = new PDO ('mysql:host=localhost;dbname=mydb;charset=utf8', 
    'root', // username
        'root123' // password
);

//Disable Emulates pdo and thus forces PDO to use real prepared statement.
$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false); 
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

with this above you are 100% safe against all sorts of sql injection attack. give me a shout on the comment if you appreciate this

Nancy Moore
  • 2,322
  • 2
  • 21
  • 38
  • Very Useful. I tried to allow some tags and it's worked. – Pitshou Oct 03 '19 at 11:35
  • one more thing. You can still be vulnerable to sql injection attack even if you are using pdo. This because the pdo performs sanitization by emulation of deprecated mysql_real_escape_string() function. you will need to force pdo to disable emulation and use direct prepared statements. i will update my answer – Nancy Moore Oct 03 '19 at 11:38
  • see updated answer for more info on sql injection on pdo @Pitshou – Nancy Moore Oct 03 '19 at 11:44
  • This is how I connect with pdo: is this safe? PDO::ATTR_PERSISTENT => true, PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION @Nancy Mooreen – Pitshou Oct 03 '19 at 11:59
  • in production, you can just comment out or this line in the code if you like and you will be okay $db->setAttribute(PDO::ATTR_ERRMODE, PDO::EXCEPTION. You can change $db variable to any variable of your choice. you will be okay. – Nancy Moore Oct 03 '19 at 12:06