Geek Answers Handbook

Htmlentities vs addlashes vs mysqli_real_escape_string

I read about providing PHP applications, and it seems to me that mysqli_real_escape_string is the right function to use when inserting data into MySQL tables, because addslashes can cause some strange things for a smart cracker. Correctly?

However, there is one thing that confuses me. I seem to remember that it was said that addslashes better than htmlentities when echoing user data back to users to protect their data, but it seems that addslashes is the one who has this vulnerability. Is this true, or am I remember wrong?

+6
security php mysql-real-escape-string addslashes
source share
7 answers

There are different contexts for your data. The context of inserting data into the database must be escaped differently than the rendering context of html / xml or even email messages.

Retrieving the data coming into db should be deprecated in all new codes in favor of prepared statements. Anyone who tells you this makes you a big nuisance.

Resetting data entering the browser must be shielded in several ways depending on the purpose. Sometimes htmlspecialchars are enough, sometimes you need to use htmlentities. Sometimes you need numerical objects. This is a topic that you should do some research to find out all the nuances.

The general rule I live in is to check (do not filter, reject, if incorrect) the output of input and output (based on context).

+5
source share

These are different tools for different purposes.

mysqli_real_escape_string makes data safe to paste into MySQL (but parameterized queries are better).

Htmlentities makes data safe for output to HTML document

addslashes makes data safe for several other situations, but not enough for MySQL

+11
source share

You can also use PDO libs , which does most of the escaping for you if you can use PHP5 on servers.

Refusing back, I personally prefer htmlspecialchars, but you can fix me

0
source share

yes, use mysqli_real_escape_string or a library like PDO in all user inputs. When re-returning, I use htmlentities with ENT_QUOTES as the second parameter, as it skips all applicable characters to its html objects, including quotation marks.

0
source share

Note. Avoid using htmlentities () in a UTF-8 encoded document. Cm.:

Pay attention to ( phpwact.org ):

With modern web browsers and broadband support for UTF-8, you do not need htmlentities, because all these characters can be represented directly in UTF-8. More importantly, in general, only browsers support HTML special characters - a plain text editor, for example, does not know HTML entities. Depending on what you do, using htmlentities may reduce the ability of other systems to โ€œconsumeโ€ your content.

Also (not confirmed, but it sounds reasonable - from the comment of anon here), symbol objects (for example, "or") do not work when the document is filed as application / xml + xhtml (unless you define them). You can still leave with the number form.

0
source share

Another interesting solution for PHP 5.2 and higher is to use a filter extension: http://www.php.net/manual/en/book.filter.php

It allows you to check and deactivate user inputs. There are many built-in filters, and you can combine them with flags to customize their behavior. In addition, hese filters can also be used to check / disinfect int, floating, emails, certain regular expressions.

I personally started using them in my projects to validate forms and display user input, and I am very glad that I did. Although, when I insert values โ€‹โ€‹into a MySQL database, I use prepared queries for extra security. These solutions together help to avoid most SQL injections and XSS attacks.

0
source share

You cannot have one โ€œexitโ€ function and expect it to work all the time. There are various attacks that require specific sanitation procedures. The only way to understand this concept is to write vulnerable code and then use it. Writing an exploit code is vital to understanding any security system.

For example, this query is vulnerable to Sql injection:

 $host=htmlspecialchars($_GET[host],ENT_QUOTES); $name=htmlspecialchars($_GET[name],ENT_QUOTES); mysql_query("select * from user where Host='$host' and Name='$name' ");

Exploit: http: //localhost/sqli_test.php? Host = \ & name =% 20sleep (20) -% 201

The best escape function for mysql is mysqli_real_escape_string (), but this may fail:

 mysql_query("select * from user where id=".mysqli_real_escape_string($_GET[id]));

use: http: //localhost/sqli_test.php? id = 1% 20or% 20sleep (20)

In fact, the best way to take care of SQL injection is not to call the escape function, its using parameterized ADODB queries for SQL injection. For XSS, use htmlspecialcahrs ($ var, ENT_QUTOES). Read the OWASP top 10 because there is so much more that can go wrong with web application security.

0
source share

More articles:


All Articles