Hi, I need to insert data from a form to my database. In order to avoid sql injection, I use the mysql_real_escape_string function. However, that does not protect if someone insert HTML tags like <img>, <input> ... . My first question is: 1. Having HTML tags bein inserted in my databse, is it a security worry? 2. If yes, should I use htmlentities function or something else? Using the htmlentities make my db less readable and I will have to reconvert it back before showing the information. Any alternative? Thanks, Yoel
Having them inserted is not a problem at all, it just depends what you do later on with the data. HTML can not damage your database or website, however, it can make XSS attacks possible (which would take place on the clients side if you're displaying the submitted data again). This makes your site less secure for your visitors. But as said, only if you display the data to the users. htmlentities(), htmlspecialchars() and strip_tags() can be used to avoid this.
Thanks Nico. In my case, only the user who has entered the data will be able to see it afterwards, and myself, while browsing the db with phpadmin. In that case, I understand there should be no worry?
No, there shouldn't be. However, I would still disallow HTML to make it look slightly more professional in case someone decides to play with your script.
if I am performing regular expression check with ereg looking for input to be like only numbers, or only alpha, is there a point to submit the result of it to mysql_real_escape_string function before sendoing to the DB?