How to properly log out an easy html code to a database to make it secure? I have lift and I am getting html code. If I use htmlspecialchars, I'll throw in & gt; e.t.c.
How to do it correctly and safely?
I would like to add that every user can insert articles.
Ok, I added: mysqli_real_escape_string + trim to remove unnecessary white characters. The html code is thrown into the database. This is ok? I added alert (1); and the code was done. How to prevent this?
You can use real_escape_string() to insert HTML Code it will treat your whole html code as string and allow special charecters to get inserted for more info you can check manual here: https://www.php.net/manual/en/mysqli.real-escape-string.php
Related
Sorry, for my bad English!
As I'm learning PHP and having some questions about insert and output data from the database.
I am using PHP PDO.
To insert data to the database I'm using following function:
public static function validate( $string ){
$string = trim($string);
$string = htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
return $string;
}
So when I insert this data O'Really <script>alert(is it safe?)</script> I see the data is properly(maybe) escaped/saved in the database. like that: <script>alert(1)</script>
Now, When I output this data should I use any PHP function?
If not then Is it safe?
Okay, If I use any PHP function like htmlentities then the data is showing like that O'Really <script>alert(is it safe?)</script>
Off course which I don't want.
Now, when I edit this data I see the data is saved to the database like this way:
O'Really <script>alert(is it safe?)</script>
Can you guys tell me the proper way / guide to safely insert/output data to/from the database?
There are (at least) two different risks you want to handle while storing user-given data from a web page in a database:
Cross Site Scripting (XSS) attacks, as AXAI mentioned above. In this scenario the problem isn't actually the database layer, but the dynamic text fields that are inserted into the HTML code. In your code snippet, you handled this problem by turning the tag marks (< and >) into entities before you stored them in the database. I recommend doing the opposite (as tadman says): storing the plain text untouched (but see next section), and use the htmlspecialchars() when outputting the fields in the HTML output.
SQL injection attacks. Basically, you want to escape any special characters correctly, e.g. ' must be turned into \' in a SQL command. If this escaping is done correctly it does not distort what is saved in the database, but assures that exactly all of the characters (whether normal or special) input by the user are put in the database. The article http://php.net/manual/en/security.database.sql-injection.php describes this closer, and also gives event better methods (i.e. variable binding).
I'm having lots of trouble preserving the exact look of how a user types out a short paragraph.
My problem is that random slashes and html show up. When people would hit enter while typing the message, "\r\n\" would show up when it's echoed later. I tried fixing that but now when the user types an apostrophe while composing a message, it gets inserted into the database with 3 back slashes, and thus echoed later with 3 back slashes with the apostrophe. Frustrating! I want to just start over!
Here's what I do.
User types a message in an input field and hits submit.
That message gets inserted into the database with type varchar(280) via php.
That message gets echoed via php.
I've tried many different things like nlbr and strip_tags and stripslashes and mysql_real_escape_string and others. I might be using these all in a certain combination that messes it up.
So my question is what is the best way to preserve exactly how someone composes a text paragraph to be later echoed via php to look just like how they typed it?
Make sure Magic Quotes are off or, if you can't disable them, cleanse your strings from them. Read the manual for details: http://www.php.net/manual/en/security.magicquotes.php
When inserting your text into the database, escape it properly for SQL syntax once or, better, use prepared statements. See How can I prevent SQL injection in PHP? and The Great Escapism (Or: What You Need To Know To Work With Text Within Text).
When outputting to HTML, use htmlspecialchars to avoid HTML injection or plain syntax problems and afterwards use nl2br to format line breaks specifically for HTML.
That's basically it.
On the second step you need to escape it with mysql function.
But for correct outputing it you need to do following
<pre><?= htmlentities($mysqlRow['data']); ?></pre>
This will get from database result needed information and will outputs it like it is. With all spaces and tabs and html tags in it. (If user enters <html> this will output <html> like text)
i'm developing a website that has a shoutbox application,
what i want to do is how to accept if the user or a guest is inserting php tags as his/her message or shout just like want you can see on the image..
i'm using mysql_real_escape_string for the guest name and for the message..
i want php to treat that as a text and display it as a text not a tag or a code..
when i entered a shout like that, no message appears just like the shout of the (guest:3:34pm) no message displayed, and when i check my database to see if the shout is inserted.. no data inserted on the messages column of my tb_shoutbox..
i tried it on facebook chat i enter a php tag and html tag and it accept that kind of message.. how to do that..
some help please..
You need to convert certain characters (such as "<") to HTML entities. The htmlentities function can be used like so:
echo htmlentities($guest_comment, ENT_QUOTES, 'utf-8');
To build on Wayne Whitty's completely correct answer and answer on your comment on his answer:
mysql_real_escape_string is used when you want to insert a variable's data into a MySQL database using a MySQL query, without breaking the query with the variable's content.
That prevents people from doing SQL injections on your shoutbox.
htmlentities on the other hand is used when you want to stop people from breaking your PHP script (which can be very unpleasant). It encodes the string you gives it into pure html. It's like it is telling the browser that this string, whatever is in it, should be displayed right of to the user. No code parsing is done.
So to answer your question: Somewhere in your code you have a PHP line that echoes the messages from the database/file. You need to modify that line so it first encodes the message with htmlentities, then shows it to the use
You should use HTMLEntities in order to display tags as plain text.
All,
I'm inserting some text from a textarea in a mySQL database. I'm using mysql_real_escape_string() to do this. I'm using stripslashes() to remove the "\" that gets inserted in front of this to display it. However when I output this it gives me the following result for something like wasn't I get wasn\\'t and if someone hits enter in my text area I get \r\n\r\n and that is also displayed.
In my database it stores correctly with a single slash and the return but it doesn't output that the same way when it's outputed. Any idea why it would be doing this?
Thanks
As long as you are double checking how your outputting data. I used.. serialize(), and unserialize(). Takes care of any special characters it seems. Have you tried that?
Greetings,
I'd like to insert html via a form into my database using php. Can anyone please tell me what function I can use to ensure something such as
<p>This is a test</p>
<h1>Turns up correctly</h1>
Turns up in the database correctly. Right now when I do an insert the special characters are replaced with the HTML special character code.
Also whats the best way to handle inputs such as this? My code is going to be very fragile against something such as special characters and quotes.
Thanks
You only need mysql_real_escape_string():
mysql_query("INSERT INTO
table
SET
html = '".mysql_real_escape_string($myHTML)."'");
DB doesn't care of special characters. The important thing is to escape quotes, which mysql_real_escape_string() will handle.
So no need for htmlentities($myHTML) or anything like that, and when you fetch the HTML back from the database, it is already in the right format for outputting.