1

I'm using HTML function for inserting html content into db table and filter for filtering user inputs against SQL injection attacks. getting output like this prntscr.com/3c8ht . I got following questions:

1) From which functions HTML content needs to be passed before insert and while output? 2) What else for filter function needed or is there any unused function?

Thx in advance

function filter($data, $db)
{
    $data = $db->escape_string($data);
    $data = htmlspecialchars($data, ENT_IGNORE, 'utf-8');
    $data = strip_tags($data);
    $data = stripslashes($data);
    $data = htmlentities($data);
   return $data;
}

function html($data, $db)
{     
    $data = $db->escape_string($data);
    return $data;
}
Improve this question
3
  • 1
    what about base64 encoding data before save? it will eliminate every possible server-side attack, and need to sanitize only before output Commented Oct 5, 2011 at 9:07
  • 3
    If you have chance, using PDO will help you to eliminate SQL injection. php.net/manual/en/book.pdo.php Commented Oct 5, 2011 at 9:10
  • Depending on what level of control you want to have over user input in HTML - it might be worth giving HTMLPurifier a go: htmlpurifier.org Commented Oct 5, 2011 at 11:34

2 Answers 2

Reset to default
2

You should use the escaping tool required by the medium, not just anyone anywhere.

To avoid SQL injection, mysql_real_escape_string() is, at minimun, what you need to use. A better alternative is using prepared statements and paramerized queries (look into PDO extension, which is shipped with PHP since v 5.1 IIRC), which will be the safest option to avoid this kind of exploit.

Sending unescaped html to the db does nothing, since malicious scripts aren't of course executed. HMTL needs to be sanitized ON OUTPUT, whenever you're going to print it out on the page, and should be done only when needed, not a priori.

To secure html you can use htmlentities(), as minimum step. You might also want to consider complex filters to replace occurrencies of "bad" words and bad characters: this is a more complex case which requires a long set of operations but of course will grant you the most accurate level of security. You can ask another question for this topic, or search here on SO.
Strip_tags() might just break your markup (it won't be html anymore, more likely plain text), besides not being in itself secure at all.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Every time you use user's input to store in database, you should use mysql_real_escape_string().

Now if you retrieving some long text which contains newline feeds, use nl2br() while printing the data.

http://php.net/manual/en/function.mysql-real-escape-string.php

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.