In PHP When Submitting Strings to the Database Should I Take Care of Illegal Characters Using Htmlspecialchars() or Use a Regular Expression

  • Home
  • Languages
  • PHP
  • In PHP When Submitting Strings to the Database Should I Take Care of Illegal Characters Using Htmlspecialchars() or Use a Regular Expression

In PHP when submitting strings to the database should I take care of illegal characters using htmlspecialchars() or use a regular expression?

If you submit this data to the database, please take a look at the escape functions for your database.

That is, for MySQL there is mysql_real_escape_string.

These escape functions take care of any characters that might be malicious, and you will still get your data in the same way you put it in there.

You can also use prepared statements to take care of the data:

$dbPreparedStatement = $db->prepare('INSERT INTO table (htmlcontent) VALUES (?)');
$dbPreparedStatement->execute(array($yourHtmlData));

Or a little more self explaining:

$dbPreparedStatement = $db->prepare('INSERT INTO table (htmlcontent) VALUES (:htmlcontent)');
$dbPreparedStatement->execute(array(':htmlcontent' => $yourHtmlData));

In case you want to save different types of data, use bindParam to define each type, that is, an integer can be defined by: $db->bindParam(':userId', $userId, PDO::PARAM_INT);. Example:

$dbPreparedStatement = $db->prepare('INSERT INTO table (postId, htmlcontent) VALUES (:postid, :htmlcontent)');
$dbPreparedStatement->bindParam(':postid', $userId, PDO::PARAM_INT);
$dbPreparedStatement->bindParam(':htmlcontent', $yourHtmlData, PDO::PARAM_STR);
$dbPreparedStatement->execute();

Where $db is your PHP data object (PDO). If you're not using one, you might learn more about it at PHP Data Objects.

Is my code safe from SQL injection? Simple Sessions login

Although your code is okay, your idea of protection is wrong

mysql_real_escape_string does not protect from injections. It does format strings.
As long as you have your strings properly formatted, they are safe.

The problem begins when you're trying to use the same function to format non-strings - a numbers for example.

It become totally useless and your SQL - vulnerable.

So, you can keep with your current code but in the future, as soon as you will need to use another query part - you will need to format it differently. Here is a set of full rules: In PHP when submitting strings to the database should I take care of illegal characters using htmlspecialchars() or use a regular expression?

And of course do not escape password! If i have a password like wef5623'sdf - it will never let me in!

By the way, I have no idea why you're using SO much variables for just a single value - $_POST['username'], $username, $uusername, $ousername - what's all this?

Correct PHP method to store special chars in MySQL DB

Use utf8 encoding to store these values.

To avoid injections use mysql_real_escape_string() (or prepared statements).

To protect from XSS use htmlspecialchars.

How should I fix this? Symbols in $_GET

If it were me, I would do a str_replace() to convert plus signs to spaces before hashing. Put the str_replace() within the hashing function; that way the user's email address is only modified within the function's scope, and remains unaltered for the rest of the script.

function hash_email($email)
{
  $email = str_replace('+', ' ', $email);

  ...hashing stuff happens here...

  return $token;
}

$token = hash_email($_GET['email']);

mysql_real_escape_string : Is it enough for database security alone?

If you want to have a more secure database, simply escaping a string is not enough. This will definitely help in regards to SQL injection attacks, but there are a host of other methods to compromise a database.

Some pointers:

  1. Practice "least privilege" in that the users and accounts that are GRANTed access to your database should have the minimum privileges to complete their tasks and nothing else.
  2. Make sure your passwords are difficult to guess (composed of letters both lower and upper, numbers, symbols, etc.) and changed regularly.
  3. Don't save credit card numbers unless absolutely necessary (assuming you're running a commercial site).
  4. Hash and possibly salt your passwords before storing them in your database if you'll have user accounts
  5. Check and double-check port numbers (3306 for MySQL) and permissions on files and directories, especially if users are uploading files

These are generally good practice and you should be aware of issues for databases outside the scope of just SQL injection attacks.

Is it safe to let the user specify the mysql field to search?

You should check that the fields they provided are in a list/array of fields you allow searching within. Add backticks around the field names in the query just to be extra safe as well. Doing both those things will prevent any injection through those variables.

Function to sanitize input values PHP

Try using mysql_real_escape_string() rather than mysql_escape_string().


Related Topics

Error Message "Strict Standards: Only Variables Should Be Passed by Reference"

How to Sum All Column Values in Multi-Dimensional Array

Multiple Inputs With Same Name Through Post in PHP

How to Make Asynchronous Http Requests in PHP

Getting Raw SQL Query String from Pdo Prepared Statements

How to Generate in PHP All Combinations of Items in Multiple Arrays

Two-Way Encryption: I Need to Store Passwords That Can Be Retrieved

PHP Foreach Change Original Array Values

PHP & MySQL: Year 2038 Bug: What Is It - How to Solve It

Simple Xml - Dealing With Colons in Nodes

Why Check Both Isset() and !Empty()

Pdo Prepared Inserts Multiple Rows in Single Query

How to Create a Pdo Parameterized Query With a Like Statement

MySQL VS MySQLi When Using PHP

How to Remove  from the Beginning of a File

MySQL Connection Not Working: 2002 No Such File or Directory

Using Str_Replace So That It Only Acts on the First Match

Understanding MVC Views in PHP


Leave a reply



Submit