htmlentities etc not doing anything

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
cbfb
Forum Newbie
Posts: 4
Joined: Thu Aug 26, 2010 11:45 pm

htmlentities etc not doing anything

Post by cbfb »

Hi

Got a very weird issue here; I have the code below running, all works OK except one minor detail; none of the functions intended to strip potentially malicious characters/strings work, i.e. stripslashes, htmlentities, strip_tags.

However, intermittently I have been able to get them to work by for example using:

Code: Select all

$var = htmlentities($var)
I am at a dead loss as to why this doesn't work, have tried everything. Hopefully there is something really obvious I've overlooked?

Many thanks.

The page:

Code: Select all

<?php
$foodgroup = "";

require_once '../lib/sanitize.php';
if (isset($_POST['food_group'])) $foodgroup = sanitizeMySQL($_POST['food_group']);

echo <<<_END
<html>
	<head>
		<title>Nutrition</title>
	</head>
	<body>
_END;
	if ($foodgroup != "") echo $foodgroup . " added successfully.";
echo <<<_END
	<form method="post" action="foodgroup.php" />
		New food group: 
		<input type="text" name="food_group" />
		<input type="submit" />
	</form>
	</body>
</html>
_END;
?>
The include file:

Code: Select all

<?php
function sanitizeString($var)
{
	$var = stripslashes($var);
	$var = htmlentities($var);
	$var = strip_tags($var);
	return $var;
}
function sanitizeMySQL($var)
{
	$var = mysql_real_escape_string($var);
	$var = sanitizeString($var);
	return $var;
}
?>
Gargoyle
Forum Contributor
Posts: 130
Joined: Wed Jul 14, 2010 12:25 am

Re: htmlentities etc not doing anything

Post by Gargoyle »

chances are, everything is working fine but you just don't understand how to properly use those functions yet.

this will do:

Code: Select all

function sanitizeMySQL($var)
{
        # you can uncomment this if you really want
        # $var = strip_tags($var);
        $var = mysql_real_escape_string($var);
        return $var;
}
?>
htmlentities() is then applied every time the data is written to the output, not before saving it to your database (with few exceptions).
cbfb
Forum Newbie
Posts: 4
Joined: Thu Aug 26, 2010 11:45 pm

Re: htmlentities etc not doing anything

Post by cbfb »

Gargoyle wrote:chances are, everything is working fine but you just don't understand how to properly use those functions yet.
Probably correct. Had got the code out of an O'Reilly book so assumed it would work. Lesson learned.
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: htmlentities etc not doing anything

Post by requinix »

Here's the explanation of why it doesn't work, as well as a PSA:

In case anyone sees this thread and considers using the sanitize* functions OP found, DON'T. Both functions are not well thought out and will cause problems if you assume that they work the way they are supposed to.

sanitizeString:
1. Assumes that the old magic_quotes_gpc setting is enabled. If it is not then you're creating a security hole by (a) enabling it, or (b) using this function.
2. Assumes that you'll always be dealing with HTML output. You will not. Maybe for now, but not in the future. Using htmlentities this early will likely cause problems for you later.
3. Tries to strip HTML tags that will no longer exist, thanks to using htmlentities - so trying to use it is just plain silly.
sanitizeMySQL:
1. Assumes that you have opened a database connection before using it. If you have not then you aren't getting the full benefit of mysql_real_escape_string and are, again, opening a security hole by using the function.
2. Immediately reverses most of the work mysql_real_escape_string does because of the strip_slashes in sanitizeString. This is a big security hole.

It's disappointing to hear that the code came from an O'Reilly book.

- Instead of using sanitizeString, try

Code: Select all

function sanitizeInputString($var)
{
        if (function_exists("get_magic_quotes_gpc") && get_magic_quotes_gpc()) $var = stripslashes($var);
        return $var;
}
- Instead of using sanitizeMySQL just use mysql_real_escape_string on its own - but only sometime after a mysql_connect has happened.
- When printing something for use in an HTML page use htmlentities. For XML use htmlspecialchars.
- Using htmlentities or htmlspecialchars will handle HTML tags for you. Rather than remove them, which strip_tags will do, it encodes the <s and >s so that the tags appear as regular text. Most of the time this is okay, but if you want to explictly remove those tags call strip_tags before htmlentities/htmlspecialchars.
cbfb
Forum Newbie
Posts: 4
Joined: Thu Aug 26, 2010 11:45 pm

Re: htmlentities etc not doing anything

Post by cbfb »

THANK YOU tasairis, that has connected all the loose ends I had in my head.
tasairis wrote:3. Tries to strip HTML tags that will no longer exist, thanks to using htmlentities - so trying to use it is just plain silly.
I did wonder about this...
tasairis wrote: It's disappointing to hear that the code came from an O'Reilly book.
Exactly. Actually the original copy of this book was so riddled with errors that I complained to O'Reilly, who gave me a free copy of the new edition. But sounds like that isn't 100% either. Will check the errata before I go any further.

Thanks again :)
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: htmlentities etc not doing anything

Post by requinix »

If you aren't sure about something you see in the book (or any book, or anywhere), Google the purpose. For example, if you need a way to "sanitize" stuff and you aren't sure whether the function(s) presented are any good - or if you want to try making one yourself - then search for "PHP sanitize string".

But yeah: always look for errata. Especially for subject matter that changes every year.
cbfb
Forum Newbie
Posts: 4
Joined: Thu Aug 26, 2010 11:45 pm

Re: htmlentities etc not doing anything

Post by cbfb »

tasairis wrote:If you aren't sure about something you see in the book (or any book, or anywhere), Google the purpose. For example, if you need a way to "sanitize" stuff and you aren't sure whether the function(s) presented are any good - or if you want to try making one yourself - then search for "PHP sanitize string".
Yes, I have been looking at http://www.php.net/manual/en/ and double-checking everything I read now. Certainly more than one way to skin a cat it seems. All good fun though.
Post Reply