How to insert malicious code text into database

Question

I want to allow user to put his data into text filed . that text field will be stored in database . And on future steps , this text will be displayed in some pages . Of course in a same way , that user that created . OK, consider this stackoverflow example , i m allowed to put any code or text , anything ; and that code or anything is simple ignored it by its server . so how is this working .

My problem is , i cant trust on users .. user can put anything .. ( may be code -> sql or simple text ) . so i planned to use mysql_real_escape_string() but this function is putting some slash in malicious code. its good .. but i want to put user entered string into database so that i can use it later ( not that sanitized string ) . so how can i ? Indeed , i am developing CMS which is using database class ( this ) I read about PDO , but making use of this concept may let me to change everything . i want a way except PDO approach . parametric approach favorable

possible duplicate of [Best way to stop SQL Injection in PHP](http://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php) - this does what you want. You don't need to care about anything else as you write in your question, that you want it outputted as inputted. — hakre, Nov 06 '11 at 17:16
@hakre : in what way , this both questions are looking same . — Inactive, Nov 06 '11 at 17:21
You want to prevent SQL injection, but stay the data the same. That's answered in that question. — hakre, Nov 06 '11 at 17:23

score 1 · Accepted Answer · edited May 23 '17 at 12:21

1

mysql_real_escape_string() does not sanitize or mess up your input in any way, it just prepares your text to be a valid part of a SQL insert statement.

If you get duplicate backslashes before an apostrophe, check if you maybe have "magic quotes" enabled.

An option for you would also be to start using mysqli driver, then you can use prepared statements. This syntax works better against SQL injections. See responses on this SO post: Does mysqli class in PHP protect 100% against sql injections?

edited May 23 '17 at 12:21

Community

1
1

answered Nov 06 '11 at 17:14

naivists

32,681
5
61
85

Depending on your intent, you might want to make sure that you sanitize the given text on output, so that there's no way to change the behaviour of the website (XSS). So.. if it's just about displaying the exact code without letting a user inject Javascript or HTML, you might want to use `htmlspecialchars('string', ENT_QUOTES)` when outputting the saved text. – Jan. Nov 06 '11 at 17:32

score 1 · Answer 2 · edited May 23 '17 at 12:21

When inserting user-provided content into the database, use query parameters or at least escaping to prevent SQL injection. See also my answer to What is SQL injection?

Even if you get strings of code inserted safely into the database, you have a second possible vulnerability:

When displaying content, be aware of risks of Cross-Site Scripting (XSS). When you display the content from the database in an HTML output, it could contain HTML tags or Javascript code that is executed as part of the web page instead of displaying the code.

To help prevent XSS, you must convert tag-open characters with the HTML entity, for instance < should be output as <. This makes sure it is shown as a literal '<' and not interpreted by the user's browser as another tag.

Mob · Answer 3 · 2011-11-06T17:20:36.030

0

How about encoding the entire string and then inserting it? I use Base64_encode to encode, and do the reverse when retrieving from the database. The characters are alphanumerics (with ==) and they aren't harmful.

You can push the entire encoded string to the client-side and decode it with Javascript.

edited Nov 06 '11 at 17:20

answered Nov 06 '11 at 17:13

Mob

10,958
6
41
58

btw , i have rated u up , not down . ! – Inactive Nov 06 '11 at 17:25
@ParitoshPiplewar Thanks. It's not you someone downvoted this and then removed the downvote without an explanation. – Mob Nov 06 '11 at 17:27
I reversed my downvote, since your method would work but it is a question of taste or preference for a different solution. Storing strings base64-encoded doubles the storage space required. Also I don't like requiring javascript to display plain text, it's not nice for ADA. – Bill Karwin Nov 06 '11 at 17:28
1

storing base64 in the database makes no sense. it is NOT matter of taste but matter of sane data processing – Your Common Sense Nov 06 '11 at 17:31
@Col.Shrapnel I said "How about", of-course I expected someone else to come along with a decent answer but this is a valid and working suggestion. Also, It makes perfect sense. – Mob Nov 06 '11 at 18:05
it is invalid solution. and it makes no sense. especially if you answer to the noob who have no experience to tell a proper way from perverted one – Your Common Sense Nov 06 '11 at 18:11
@Col.Shrapnel Well, that's your business. Do as you like. – Mob Nov 06 '11 at 18:41

score 0 · Answer 4 · answered Nov 06 '11 at 17:24

0

Here is an example

if (isset($_POST['userdata'])) {
   $safestring= base64_encode($_POST['userdata']);

   mysql_query("UPDATE table_name SET value_name = '$safestring'
   WHERE some_username = 'username'");
}

answered Nov 06 '11 at 17:24

user962284

670
1
12
29

This should probably be a comment on Mob's answer, as it doesn't really answer the question. – NullUserException Nov 12 '11 at 17:28

How to insert malicious code text into database

4 Answers4