Securing from textarea input

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Skiddles2010
Forum Newbie
Posts: 19
Joined: Tue Jul 06, 2010 11:05 pm

Securing from textarea input

Post by Skiddles2010 »

I could use some help wrapping my head around this. I'd like to know what's a good way to go about securing multi-paragraph textarea inputs? The user will be inputting some kind of "How-To" guide of their own, so I need to allow things like periods, semicolons, apostrophe's, question marks, new lines etc. Using mysql_real_escape_strings, if a user enters something like, "Vinny's Recipe", it ends up displaying as "Vinny\\\'s Recipe". How do I avoid this? The form takes a number of different inputs from textareas, textfields, drop lists, and an image upload field. In it's present stage, the only "security" I have on those POST variables is that each one is filtered through mysql_real_escape_strings prior to being utilized. Any advice on how to secure this?
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Re: Securing from textarea input

Post by superdezign »

The extra slashes comes from adding slashes to slashes. This can occur if you escape the data twice. Either you are running an escape function (i.e. mysql_real_escape_string) twice on the same data, or if you have Magic Quotes enabled, which is the usual culprit. This can be disabled in the php.ini file, the .htaccess file, or by using stripslashes on the input data.
Post Reply