Escaping not enough?
Moderator: General Moderators
Escaping not enough?
Hello, I know this is brought up probably quite often on the subject of SQL Injection. As in always validating input fields for what they are meant to be. Which brings me to a question. Let's say I have a form that has a textarea that allows HTML and the whole nine. I run the code, clean the html through HTMLPurifier and then escape it using mysql_real_escape_string(). I read though that escaping isn't always enough. What kind of measures are then expected to be taken since this form of input can accept multiple characters or is escaping it enough? Should I store the input encrypted or is that just a bunch of non-sense?
Re: Escaping not enough?
Escaping it is enough to prevent SQL injection, I believe. XSS and other code exploits that allow HTML.. well that's a whole different subject.
I'm not sure if magic_quotes_gpc has any effect on sql escaping -- but I always take into account that setting in everything I write.
I'm not sure if magic_quotes_gpc has any effect on sql escaping -- but I always take into account that setting in everything I write.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
Re: Escaping not enough?
Yea, I noticed the HTMLPurifier turns the stuff into entities also, but I still do escape.
The HTMLPurifier seems to stop all of the XSS I have tried against it, I've tried a couple of cheat sheets, along with SQL Injections and have also ran Acunetix on it.
I'm just over paranoid
Thanks for the response.
The HTMLPurifier seems to stop all of the XSS I have tried against it, I've tried a couple of cheat sheets, along with SQL Injections and have also ran Acunetix on it.
I'm just over paranoid
Thanks for the response.
Re: Escaping not enough?
You appear to misunderstand why injections (SQL, XSS, etc) happen, and when and how one should escape. HTMLPurifier and mysql_real_escape_string() offer solutions towards two different injections. HTMLPurifier will not stop sql injection and mysql_...() will not stop XSS.
Judging from your wording, you have read my paper (or should read it if you haven't
) http://www.webappsec.org/projects/articles/091007.shtml. Check it (again?), esp. the references at the bottom, which list papers that cover the basics of SQL injection.
Magic quotes were precisely (mis)designed to help with legacy code vulnerable to SQL injection.
Judging from your wording, you have read my paper (or should read it if you haven't
Well, there are other factors - mostly correct use of quotes and not doing silly things with the query. Check the paper for details.Scottayy wrote:Escaping it is enough to prevent SQL injection, I believe. XSS and other code exploits that allow HTML.. well that's a whole different subject.
I'm not sure if magic_quotes_gpc has any effect on sql escaping -- but I always take into account that setting in everything I write.
Magic quotes were precisely (mis)designed to help with legacy code vulnerable to SQL injection.
Re: Escaping not enough?
Maybe I worded it wrong. I understand the differences between the two and I understand that HTMLPurifier does not stop SQL injection.
I was pretty much just referencing them together because it they will both play a part in the script I am making. Yes I have read your article by the way a while back when I first was introduced to mysql_real_escape_string() and I read it over again and it makes more sense to me now and also answers my questions that I had.
Thank you.
I was pretty much just referencing them together because it they will both play a part in the script I am making. Yes I have read your article by the way a while back when I first was introduced to mysql_real_escape_string() and I read it over again and it makes more sense to me now and also answers my questions that I had.
Thank you.