0

I have the following function that sanitizes input from the user or the url:

   function SanitizeString($var)
   {
       $var=stripslashes($var);
       $var=htmlentities($var, ENT_QUOTES, 'UTF-8');
       $var=strip_tags($var);
       return $var;
   }

I dont know whether to use that function in addition to this php function:

mysql_real_escape_string()..

I also dont know if I take all the precautions to sanitize that input

I also have a problem of stripping tags..cause I am using tiny_MCE..and not stripping them is important..

How do I return the state of the html characters as html characters before they were feed into the database?

Improve this question
4
  • 1
    That is very funny, mysql_real_escape_string is the only one you need for database, then if you need to output it use htmlspecialchars or something similar. Commented Oct 24, 2011 at 13:12
  • You can tell that it's not a very appropriate function from the lack of comments. Commented Oct 24, 2011 at 13:13
  • 1
    I'm pretty sure you've been told more than once before; I had a quick glance at your previous questions and many has this function, and you're not still convinced. DON'T SANITIZE HTML BEFORE INSERTING INTO A DATABASE. Just avoid SQL injections. SANITIZE HTML ON OUTPUT. Commented Oct 24, 2011 at 13:18
  • how do I decode the whole thing once it is out? I get this <p> dafafa</p>.. I want p represent html character and not a literal. What do you mean by output? Commented Oct 24, 2011 at 13:19

3 Answers 3

Reset to default
2

Sanitizing inputs a priori, no matter what, is wrong. What does stripping tags has to do with databases? Since when malicious scripts run inside a database? Being overprecautius is a good thing, except when you do it without a logic.

Sanitize only according to where the "suspect" content need to go.

A database? then escape for the database, to avoid SQL injections. Use mysql_real_escape_string() or parametrized queries and you're set.

Html page? Sanitize your html to avoid XSS and other nasty things. Use htmlentities(), or other more sophisticated solutions, but do that JUST BEFORE OUTPUTTING.

What if you save an html page inside your db, and you strip all tags instead (btw, strip_tags() does this job badly, and calling it after htmlentities() is not the best thing)? What if you later need the html back? Just think about it, what harm does to a database the use of the <script> tag, or a link to a malaware? Aren't they harmful only when they're printed on a page?

To decode form htmlentities(), just use..html_entity_decode()

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Are you my long-lost twin? ;)
true..so how do I solve that Issue with TinyMCE...I do want the tags to be printed out and avoid htmlEntities..but I am in danger of being sql attacked ..whats the solution
Do you each have one half of a medallion?
I updated, use html_entity_decode(). Anyway, all of this HAS NOTHING TO DO WITH DATABASE SECURITY. For databases use the usual functions, mysql_real_escape_string() or PDO and parametrized queries. IT'S A WHOLE DIFFERENT THING.
how does decoding work? if I decode it , the hackers code will be executed whatever it is javascript or sql attack
|
0

If you're talking about how to sanitize the HTML that comes out before you put it on the screen (which you don't really mention in your question but do in your comments), it's far more complicated than you might think.

Take a look at: http://iamcal.com/publish/articles/php/processing_html/ and http://www.iamcal.com/publish/articles/php/processing_html_part_2/

Improve this answer

Comments

0

When storing something in a (MYSQL) database, you'll want to use mysql_real_escape_string. If you're using PDO and prepared statements, PDO will take care of escaping for you. This protects you from SQL injection attacks.

When you print user generated content (texts, comments etc), you'll want to use either htmlspecialchars or htmlentitites or the like before you output anything. Which one is appropriate depends on your use case. Whichever you decide on, you'll only need one. This will protect you from XSS attacks.

You never need stripslashes etc. as long as magic quotes are disabled.

Improve this answer

4 Comments

if I use htmlentities from the input I got form the Tiny_MCE..then I will get something like this... <p>one</p> <strong>two</strong> instead of one being in paragraph and two being bold..
As I said: it depends on your use case. If you want your users to be able to post HTML, you'll have to let them. Be cautious though.
lol..the question is how do I acheive user satisfaction and security..Thats my whole question
Perhaps you should have mentioned that in your question, then. Plenty of people have answered what you actually asked. The really simple answer to "how do I get HTML on the screen" is to not use htmlspecialchars or htmlentities. But check my answer below for more information.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.