0

I got

$id = (int) $_POST['id']
$content = filter_input(INPUT_POST, 'post_content', FILTER_SANITIZE_STRING);

The above, is making my $content string secured, when I post it to the database:

$conn->new->query("UPDATE `posts` SET `content` = " . $conn->escape_string($content) . " where `id` = {$id};");

But at the same, is does remove some special characters like tags, for example I can not use < in my post , because it'll be removed.

How can I modify that, to be secured enough and at the same prevent my code from hack?

Rym
  • 77
  • 1
  • 1
  • 7
  • `FILTER_SANITIZE_STRING` is a combination of `strip_tags` and `htmlspecialchars`. You have to decide on what you want / to keep. If tags shall be allowed, then use a real filter like HTMLPurifier. – mario Oct 08 '11 at 18:27

2 Answers2

1

Escaping is the process of allowing certain characters that could have detrimental effects on the target system. For example, MySQL uses characters like quotes and parentheses. mysql_real_escape_string escapes such characters so they don’t pollute the queries.

You don’t necessarily need to sanitize HTML from data before storing it in the database, but you MUST escape harmful characters. As @Damien pointed out in a comment, you can escape HTML (which could have detrimental effects on your HTML) before output .

Herbert
  • 5,698
  • 2
  • 26
  • 34
  • So how can I escape those 'harmful' characters before query? When I read a data from the database, I display that using `htmlspecialchars()`. – Rym Oct 08 '11 at 21:30
  • [mysql_real_escape_string](http://php.net/manual/en/function.mysql-real-escape-string.php) or [mysqli::real_escape_string](http://php.net/manual/en/mysqli.real-escape-string.php) – Herbert Oct 08 '11 at 21:55
  • Better still, use PDO to interact with your database. PDO is nicely explained [here](http://stackoverflow.com/questions/1742066/why-is-pdo-better-for-escaping-mysql-queries-querystrings-than-mysql-real-escape/1742638#1742638). – Herbert Oct 08 '11 at 22:00
  • I'm using PDO, `$conn->escape_string($content)` is `$sql->quote`. – Rym Oct 08 '11 at 22:49
  • Ah! I see. You're all set then. You don't need to use `filter_input()`. Just use `htmlspecialchars()` before using the data. – Herbert Oct 09 '11 at 01:26
0

Just use real_escape_string() and already must good and secure ^_^

NiLL
  • 13,645
  • 14
  • 46
  • 59
  • I'm using: `$conn->escape_string` thats the same as `real_escape_string`, so you say thats enough to be safe? No need to escape from special characters? – Rym Oct 08 '11 at 18:32
  • 1
    @Rym "escaping" is pretty much dependant on the destination medium. If you want to escape before INSERTING INTO DATABASE, use m_r_e_s as suggestend, or your db funcion which does the same. If you wanto to escape HTML, you need to do it BEFORE OUTPUTTING to to the page. Use htmlentities() for that – Damien Pirsy Oct 08 '11 at 18:34
  • So, to be clear: before update/insert string to the database I should use `escape_string` and when I wan't to display it on the page I should use `htmlspecialchars()` or `htmlentities()`? – Rym Oct 08 '11 at 18:49
  • m_r_e_s is shorthand for [mysql_real_escape_string](http://php.net/manual/en/function.mysql-real-escape-string.php) – Herbert Oct 08 '11 at 18:56