0

I usually escape user input by doing the following:

htmlspecialchars($str,ENT_QUOTES,"UTF-8");

as well as mysql_real_escape_string($str) whenever a mysql connection is available.

How can this be improved? I have not had any problems with this so far, but I am unsure about it.

Thank you.

pavium
  • 14,808
  • 4
  • 33
  • 50
Francisc
  • 77,430
  • 63
  • 180
  • 276
  • 1
    User input needs to be escaped only when it is *used*, and then only with the sanitation method needed for that exact use. Related or dupe: [PHP: the ultimate clean/secure function](http://stackoverflow.com/q/4223980) – Pekka May 11 '11 at 12:45

3 Answers3

2

Data should be escaped (sanitized) for storage and encoded for display. Data should never be encoded for storage. You want to store only the raw data. Note that escaping does not alter raw data at all as escape characters are not stored; they are only used to properly signal the difference between raw data and command syntax.

In short, you want to do the following:

$data = $_POST['raw data'];
//Shorthand used; you all know what a query looks like.
mysql_query("INSERT " . mysql_real_escape_string($data));

$show = mysql_query("SELECT ...");
echo htmlentities($show);
// Note that htmlentities() is usually overzealous.
// htmlspecialchars() is enough the majority of the time.
// You also don't have to use ENT_QUOTES unless you are using single
// quotes to delimit input (or someone please correct me on this).

You may also need to strip slashes from user input if magic quotes is enabled. stripslashes() is enough.

As for why you should not encode for storage, take the following example:

Say that you have a DB field that is char(5). The html input is also maxlength="5". If a user enters "&&&&&", which may be perfectly valid, this is stored as "&&." When it's retrieved and displayed back to the user, if you do not encode, they will see "&&," which is incorrect. If you do encode, they see "&&," which is also incorrect. You are not storing the data that the user intended to store. You need to store the raw data.

This also becomes an issue in a case where a user wants to store special characters. How do you handle the storage of these? You don't. Store it raw.

To defend against sql injection, at the very least escape input with mysql_real_escape_string, but it is recommended to use prepared statements with a DB wrapper like PDO. Figure out which one works best, or write your own (and test it thoroughly).

To defend against XSS (cross-site-scripting), encode user input before it is displayed back to them.

Explosion Pills
  • 188,624
  • 52
  • 326
  • 405
1

If you only use mysql_real_escape_string($str) to avoid sql injection, make sure you always add single quotes around it in your query.

The htmlspecialchars is fine when parsing unsafe output to the screen.

Wesley van Opdorp
  • 14,888
  • 4
  • 41
  • 59
1

For the database switch to PDO. It's much easier and does the escaping for you.

http://php.net/pdo

Prikkeldraad
  • 1,347
  • 9
  • 14