Page 1 of 1
Should I escape more than quotes and single quotes?
Posted: Tue Feb 08, 2005 7:55 pm
by voltrader
I have a review/comments script which stores info into a db. I escape those entries with the standard mysq_escape_string.
Is it good practice to also escape left and right brackets to prevent html injection?
I noticed I could inject html, but couldn't seem to inject a PHP echo statement.
Posted: Tue Feb 08, 2005 8:09 pm
by rehfeld
if you want to prevent html from being rendered by the browser when you output it, use htmlentities()
php code stored in your database wont be executed unless you use eval()
Posted: Tue Feb 08, 2005 9:48 pm
by voltrader
Thanks.
Posted: Wed Feb 09, 2005 9:59 am
by pickle
Also, if you read the documentation, you're supposed to be using mysql_real_escape_string() rather than mysql_escape_string(), although I'm still not sure exactly why.
...
Posted: Wed Feb 09, 2005 10:09 am
by s.dot
You should use mysql_real_escape string.
It is the same as mysql_escape_string, with the exception that the character set is taken into consideration when escaping special characters. So, mysql_real_escape string would provide you with international string escaping.
Also, as mentioned above you could use htmlentities to prevent it from being read by the browser.
Or, you could use htmlspecialchars to allow these special markings, and have them inserted into the database as their HTML entity.
However if you need all special characters to be converted, it's reccommended that you go with htmlentities() because this will translate all special characters into their entities. Then use eval() to print back to the browser.
Or, if you don't want any HTML at all to be passed to the database use strip_tags().
Posted: Wed Feb 09, 2005 10:20 am
by feyd
just a note: strip_tags is a dumb html stripper. You may want to look up the strip_tags I created a while ago.. the link to it is in the Useful Posts thread (linked to in my sig)
Posted: Wed Feb 09, 2005 11:50 am
by timvw
and not all dbms use slashes for escaping (fe mssql wants quotes).
adodb has $db->Qstr function i believe... too bad they don't have a $db->UnQstr.. (although you can write that yourself..)
Posted: Wed Feb 09, 2005 1:10 pm
by voltrader
Thanks for the clarification folks.
After some thought, I'm going to allow users to insert HTML tags. If any become a problem, I'll use regex to test for them specifically.
Should I be concerned about any common JS "exploits"?
Posted: Wed Feb 09, 2005 1:15 pm
by Joe
OSc has an excellent function for preparing database information. You should think about having a look.
Posted: Wed Feb 09, 2005 1:25 pm
by voltrader
Thanks for the tip. Will do. Do you have the link?
OSc=oscommerce?
Posted: Wed Feb 09, 2005 5:41 pm
by timvw
generally storing html is not bad...
but it _can_ become evil if you output it as is.
probably there are some nice functions (or in an extension) coming in php5.1 that will do this for you....
untill then you should use htmlentities or more specialised to allow only a subset of tags....