3

I'm currently working on making sure that text that is submitted into the database for a webapplication I am working on is sanitized properly before being submitted to the database, and then retrieved and displayed correctly.

Ignoring the jumble of sanitizing functions that are currently being used (it is currently a mess and breaks things), this is what I plan on doing:

  1. Use CKEditor for text input. It automatically converts HTML tags/symbols their HTML entities.

  2. Utilize PDO prepared statements to submit the text to the database.

Is this enough to properly sanitize input? I've been reading up on this, and many people say to use magic quotes, however I read that magic quotes is old and most recommend against using it.

Thank you in advance for any assistance!

Improve this question
3
  • 2
    1. That's nice, but use data correctly at the use site (i.e. encode when emitting HTML); 2. Prepared statements eliminate SQL injection but they do not eliminate using data incorrectly in other places (e.g. XSS, HTML, exec injection). Magic quotes were a bad idea that tried - and failed - to fix what #2 addresses. Business rule "sanitization" should be done, but for information correctness, and not [necessarily] data injection viewpoint. Commented Feb 19, 2013 at 21:09
  • @pst so I should do what everyone else is saying and use htmlspecialchars when outputting the input from the database? Will that interfere with CKEditor replacing HTML tags/symbols with their entities? Commented Feb 19, 2013 at 21:33
  • 2
    Yes, always encode output! (Except if there is a really good reason not to.) I personally do not encode input. Otherwise there is a blob of .. junk .. in the database. Store the information for what it supposed to be. While it might make sense to convert contents of an "rich text" editor into a normalized format (e.g. markdown/markup/bbcode), I would not recommend storing it "html encoded", as databases don't care about HTML. However, Business Rules might dictate that only <em> and <a> elements are allowed - now this should be enforced as it is part of the information. Commented Feb 19, 2013 at 21:35

2 Answers 2

Reset to default
2

Well, PDO is okay only with basic cases from beginners manual.
Whatever complex issue will bring PDO into trouble as well as any other API.

But as long as you are ready to waste your time writing huge insert statements, repeating every variable six to ten times following all these answers round here - PDO is okay.

But just to let you know, there is no prepared statement for identifiers.

As for the CKEditor - isn't it a client-side application? If so, it will protect nothing.
So, better follow an advise from another answer - pass untrusted user-input through htmlspecialchars() when displaying it on HTML page

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you for your reply. CKEditor IS a client-side application. One of the reasons I decided to use it was the fact that it replaced HTML tags and symbols with HTML entities... the users who use the application had a VERY bad habit of copying and pasting whatever crap they found into the application, so CKEditor helps set a standard for what is going into the database.
2

Don't use magic quotes. http://php.net/manual/en/security.magicquotes.php

This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.

If you're using prepared statements then you should be safe from sql injection. Remember to run user-inputted data through htmlspecialchars() when displaying it on the front-end.

Improve this answer

1 Comment

So when displaying the information from the database (that will have HTML entities like &#39;) I should use htmlspecialchars before displaying it to the user?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.