addslashes/stripslashes are functions people will often use to escape stuff for the database. You wont be using that because they still carry the possibility for unsafe data. What you think and what your users do are two very different things. You need to assume the user is out to destroy your website and protect it accordingly. You shouldn't have any issues with slashes, I don't know why we are still on this subject. strip_tags has been known to let things go that shouldn't. htmlspecialchars has less of a reputation, so use that. As far as the code block you posted, it works the same, but what I am saying is don't take that approach of trying to sanitize every bit of data contained in $_POST, $_GET, and $_COOKIE. It creates unnecessary processing on the script side. If you are posting two variables to a page, say 'username' and 'password', then do this: $username = htmlspecialchars($_POST['username']); $password = htmlspecialchars($_POST['password']); $username = mysql_real_escape_string($username); $sql = "SELECT * FROM users WHERE username = '$username'"; $result = mysql_query($sql); $row = mysql_fetch_assoc($result); // ... PHP: Run htmlspecialchars() on each input variable as you input them one at a time. Only if you end up using it in a query, then go ahead and run mysql_real_escape_string() on it.
no, not a replacement... only to just remove it.. but to be safe, leave the htmlspecialchars() as well.. htmlspecialchars(strip_tags($output)); // no need to output nasties, and be sure not to output nasties in nasty form, but htmlspecialchars should be efficient enough strip_tags only works on say <p> but wouldnt be good on something like <p style="<nasty java stuphs here>"> or something to that effect, sorry i'm not a hacker, but they can pass stuff inside like that as strip_tags is not a remove all tag function
No, not practical or helpful. Your manipulating data that you may need in its raw form.. Only escape data going into a database query, and don't write a function for your query to do this.. do it when you assign it and sanitize it right away. I always waste some memory on form input if its a string for a db query.. $moo = mysql_real_escape_string($_POST['moo']); if i know its suppose to be a integer, no sense escaping, make sure it's an int $int = intval($_POST['int']); // then i sanitize for whats acceptable for these fields such as check valid characters, if not certain characters error back checking string length yada yada yada if error echo htmlspecialchars($moo); if not db_query("select `moo` from `do` where `field` = '?' AND field2 = $int LIMIT 1;", $moo);
Thanks scriptinstaller ------------------------------------------------------------------------- If I understood you right, in your example you used "htmlspecialchars" while you don't need to, because you are not printing the variable to the screen... You only need "mysql_real_escape_string" (like you used).
And if I'm nott? should I still use "mysql_real_escape_string" for "$page" before pulling date from the DB?
just to be sure- If I have this code: $query = mysql_query("SELECT`choice`,`name` FROM `survey` "); while($index = mysql_fetch_array($query)) { $choice= $index['choice']; $name= $index['name']; echo $choice; } PHP: Than I need to add "htmlspecialchars" here: $choice= htmlspecialchars($index['choice']); echo $choice; (variable "choise" was add into the DB by some user with some form) Right? if yes - can I don't do htmlspecialchars($index) and than - $choice= $index['choice']; ?
I always htmlspecialchars() my input because you never know if you are going to want to display it to the string, plus, what goes into the database will come out of the database eventually. Let's say someone set's their username as "<script>alert('xss here');</script>", and you didn't use htmlspecialchars() on it. You can mysql_real_escape_string() that value and it will be safe for the database. If the user is just signing up for that name, it will insert it into the database as is. When you go back to display the username, you will have XSS. Now, lets say you do use htmlspecialchars on the registration, their username is now be "<script>alert('xss here')</script>" in the database. After that, you are now logging them in with a different script and you do not use htmlspecialchars() on your input. Although you are not outputting directly what they said to the screen, you still have to compare it to the stored value of the database, and the two strings do not match. That's why, to be safe and consistent, I always use htmlspecialchars on every string value I take into my scripts.
If I have this code: $query = mysql_query("SELECT`choice`,`name` FROM `survey` "); while($index = mysql_fetch_array($query)) { $choice= $index['choice']; $name= $index['name']; echo $choice; } PHP: Than I need to add "htmlspecialchars" here: $choice= htmlspecialchars($index['choice']); echo $choice; (variable "choise" was add into the DB by some user with some form) Right? if yes - can I do htmlspecialchars($index) and than - $choice= $index['choice']; ?