How to sanitize correctly this input?

Question

I'm fairly new on PHP.

I'm trying to sanitize my input before UPDATE it on myqsql.

If my string is something with apostrophe, like " I'm new on Php" it not works with this code

$description = $_POST['description'];

$description = htmlspecialchars($description);

$description = mysqli_real_escape_string($description);

$description = trim(preg_replace('/\s+/', ' ', $description));

It didn't work: my field in table result empty

If i use

$description = $_POST['description'];

$description = htmlspecialchars($description);

$description =  str_replace("'","\'", $description);

$description = trim(preg_replace('/\s+/', ' ', $description));

It works.

Why $description = mysqli_real_escape_string($description) won't work ?

Adslashes. But dont do this, use a prepared statement and never worry about this again. Make a method if you want easy usage, you'll save tons of time not worrying about stuff like this. — Martijn, May 03 '21 at 07:41
For inserting into DB just `real_escape_string`. `htmlspecialchars` is for output to page, not saving into DB. `trim/preg_replace` is optional. Or forget for manually sanitizing SQL queries and use PDO. — pavel, May 03 '21 at 07:46
_"Why $description = mysqli_real_escape_string($description) won't work?"_ - You're [using it wrong](https://www.php.net/manual/en/mysqli.real-escape-string.php). The first argument should be the connection. But as @Martijn said, use prepared statements with bound parameters instead of manually escaping the data. — M. Eriksson, May 03 '21 at 07:46

score 2 · Accepted Answer · answered May 03 '21 at 08:04

Dont use functions like that, instead use prepared statements. Below a very minimalistic example, but it should give you something to build of off:

// Disclaimer: This is untested, but should give you a general direction:
function preparedQuery(string $sql, $paramtypes, $values){
    // Note: You need to some way to get the connection ($mysqli) in this 
    //       function. I suggest a Singleton DB class.
    $stmt = $mysqli->prepare($sql);
    $stmt->bind_param($paramtypes, ...$values);
    $stmt->execute();

    return $stmt;
}

And than you can use it:

$result = preparedQuery(
    "INSERT INTO tabel (name, email, age, date) VALUES (?, ?, ?, NOW())",
    'ssi', // s -> string, i -> integer 
    [$name, $email, $age]
);

You can fetch it using $result. You can use it in a while loop. I suggest you read up on prepared statements. It's a but tricky, but once you get the hang of it, very powerful en secure

John Doe · Answer 2 · 2021-05-03T08:14:33.360

-2

You need to use htmlspecialchars with ENT_QUOTES. This will convert double and single quotes.

<?php
$description = $_POST['description'];
$description = htmlspecialchars($description, ENT_QUOTES);
?>

While printing them you can just print it using ....

<?php
$row['description'];
?>

edited May 03 '21 at 08:14

answered May 03 '21 at 07:52

John Doe

1,401
1
3
14

1

This doesnt answer the question. You answer is about displaying, but OP asks about storing it into a DB – Martijn May 03 '21 at 07:55
For your kind info, the first variable: description will be use to store it into database. – John Doe May 03 '21 at 08:13
1

a) Your answer isnt storing anything into the DB, which is the question. b) you answer outputs nothing as there is no echo (because you rollbacked by edit). – Martijn May 03 '21 at 08:22

How to sanitize correctly this input?

2 Answers2