Securing input in a textarea (forum)

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Demiloy
Forum Newbie
Posts: 1
Joined: Sun Aug 03, 2008 11:28 pm

Securing input in a textarea (forum)

Post by Demiloy »

Right now I'm making a forum (not so much to try to challenge phpBB or anything like that, but to gain experience). So, when someone posts a new topic or post, I run it throught mysql_real_escape_string, and then put it straight into the MySQL database. But I'm wondering, is there any other potentially harmful thing an attacker could do, even after escaping the string?
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: Securing input in a textarea (forum)

Post by jaoudestudios »

That should be fine, make sure you use it on all php variables in the query.
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: Securing input in a textarea (forum)

Post by jaoudestudios »

alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Securing input in a textarea (forum)

Post by alex.barylski »

Define potentially harmful...that is very subjective and if I said NO someone would likely counter argue, so I'll say maybe. :P

If you properly escape the incoming data...it will prevent anyone from executing a SQLi attack but that is about it.

You do not mention anything about filtering so that might be exploited for XSS.

Validation is another link in the security chain.

Whether you consider any of the number of exploits or problems actually problems or just minor setbacks is really sujective.

Personally I don't filter *everything* for example an email address. I do however have a sophisticated RFC validation routine I run against email input and if it fails it's only because the email isn't valid according to RFC, so in this case filtering would be redundant.

A message post on the other hand...is probably very difficult to validate (given the arbitrary nature of user text) so you are probably better off filtering and removing harmful tags, attributes, etc.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Securing input in a textarea (forum)

Post by Mordred »

There are cases, when escaping is not enough: http://www.logris.org/security/the-unex ... -injection
Don't forget to pay attention to the other code in the forum: searching and sorting in particular open possibilities for failures like the ones described in the above paper.
Post Reply