Should I escape more than quotes and single quotes?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
voltrader
Forum Contributor
Posts: 223
Joined: Wed Jul 07, 2004 12:44 pm
Location: SF Bay Area

Should I escape more than quotes and single quotes?

Post by voltrader »

I have a review/comments script which stores info into a db. I escape those entries with the standard mysq_escape_string.

Is it good practice to also escape left and right brackets to prevent html injection?

I noticed I could inject html, but couldn't seem to inject a PHP echo statement.
rehfeld
Forum Regular
Posts: 741
Joined: Mon Oct 18, 2004 8:14 pm

Post by rehfeld »

if you want to prevent html from being rendered by the browser when you output it, use htmlentities()

php code stored in your database wont be executed unless you use eval()
User avatar
voltrader
Forum Contributor
Posts: 223
Joined: Wed Jul 07, 2004 12:44 pm
Location: SF Bay Area

Post by voltrader »

Thanks.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

Also, if you read the documentation, you're supposed to be using mysql_real_escape_string() rather than mysql_escape_string(), although I'm still not sure exactly why.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

...

Post by s.dot »

You should use mysql_real_escape string.

It is the same as mysql_escape_string, with the exception that the character set is taken into consideration when escaping special characters. So, mysql_real_escape string would provide you with international string escaping.

Also, as mentioned above you could use htmlentities to prevent it from being read by the browser.

Or, you could use htmlspecialchars to allow these special markings, and have them inserted into the database as their HTML entity.

However if you need all special characters to be converted, it's reccommended that you go with htmlentities() because this will translate all special characters into their entities. Then use eval() to print back to the browser.

Or, if you don't want any HTML at all to be passed to the database use strip_tags().
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

just a note: strip_tags is a dumb html stripper. You may want to look up the strip_tags I created a while ago.. the link to it is in the Useful Posts thread (linked to in my sig)
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

and not all dbms use slashes for escaping (fe mssql wants quotes).

adodb has $db->Qstr function i believe... too bad they don't have a $db->UnQstr.. (although you can write that yourself..)
User avatar
voltrader
Forum Contributor
Posts: 223
Joined: Wed Jul 07, 2004 12:44 pm
Location: SF Bay Area

Post by voltrader »

Thanks for the clarification folks.

After some thought, I'm going to allow users to insert HTML tags. If any become a problem, I'll use regex to test for them specifically.

Should I be concerned about any common JS "exploits"?
User avatar
Joe
Forum Regular
Posts: 939
Joined: Sun Feb 29, 2004 1:26 pm
Location: UK - Glasgow

Post by Joe »

OSc has an excellent function for preparing database information. You should think about having a look.
User avatar
voltrader
Forum Contributor
Posts: 223
Joined: Wed Jul 07, 2004 12:44 pm
Location: SF Bay Area

Post by voltrader »

Thanks for the tip. Will do. Do you have the link?

OSc=oscommerce?
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

generally storing html is not bad...
but it _can_ become evil if you output it as is.

probably there are some nice functions (or in an extension) coming in php5.1 that will do this for you....


untill then you should use htmlentities or more specialised to allow only a subset of tags....
Post Reply