Hi, When inserting a comment into a database is it safe to insert as the following: mysql_real_escape_string($comment); PHP: Then when retrieving it too display on a web page use: stripslashes($comment); PHP: So the slashes only appear in the database? Thanks
If the comment is going to be submitted by a member of the public, then no, not quite. Unless you want people to be able to post html tags, you'll want to use htmlentities($comment); Code (markup): when it is fetched from the database for display, as well as stripslashes. (For more info on this, search for XSS on google). If you do want people to be able to use html tags, but not execute XSS 'attacks' then someone else'll have to post some code to filter out XSS while allowing some html (haven't got any code for it ready right now).
hi, why is that wrong? if we do not strip the slashes, and just output it, results will be with "slashes"?
Where do you see "extra slashes" here? mysql_real_escape_string used only for database writing, and string in DB will be "as is".
Could someone put some sample xss attack code so I can input and see if anything happens or is it too malicious? I'm using Before input: function secureinput($comment) { $comment = mysql_real_escape_string($comment); $replace = array('<', '>'); $comment = str_replace($replace,'',$comment); return $comment; } PHP: then from database: $comment = striplashes($row); PHP: This allows the bbcode and smilies etc to all work and as far as i'm aware keeps everything secure.
http://ha.ckers.org/xss.html and you should run striplashes() before mysql_real_escape_string(), Magic Quotes is the keyword. Currently you are turning ' Code (markup): into \\\' Code (markup): but you only need \' Code (markup):
When i said i run striplashes, I meant i run it in the script that displays the code on another page, is this wrong? What should the function above look like?