Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 1 year ago.
Improve this question
I have a javascript-based rich text editor.
What is the safest way to save the tags it generates?
I'm using MySQL as my database.
I'm not sure if using mysql_real_escape_string($text); is safe.
I can't think of a reason to use htmlentities here. mysql_real_escape_string is vital here because it prevents people from injecting malicious SQL code like ';DROP * FROM table foo;-- into you database. I'd try it without htmlentities, if you find that you need to convert to entities then you could try htmlspecialchars instead which only converts special characters.
If you want to limit the allowed HTML in your form you might also want to look into the strip_tags function.
Relevant documentation:
http://us2.php.net/manual/en/function.htmlentities.php
http://us2.php.net/manual/en/function.htmlspecialchars.php
Good luck
I'd recommend that you use mysqli to interface with the database, that way you don't need to escape data and get a complete protection against SQL injections. You may of course still need to protect against HTML injections.
You do not need to write the string of text to a JavaScript file. If you need it to be handled by JavaScript I suggest that you fetch the data using an XMLHttpRequest (which contrary to what the name suggests does not require your data to be in XML form).
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
I have to pass parameters throught my pages. For exemple ids of my database.
Is it a good idea to do so: www.example.com?id=10
Or have I to hash the parameter:
www.example.com?id=b1d5781111d84f7b3fe45a0852e59758cd7a87e5
It is really important to hash this one?
Thanks
Best regards
There is no need to hash Id's in query string. Yes it is visible to everyone but it's a common use. you should verify in your server side that this parameter cannot harm your application
How are you able to trace back the id for that specific hash? You will create a bottleneck if you need to get all your database id's and hash those to find your matching record.
Using id's in urls are commonly used, just dont put any sensitive data in your urls to protect your visitors (and yourself).
Also note that every visitor is evil. Always validate incomming data and do some proper error handling incase someone is messing around with the urls.
Ids are ok but I think the spirit of this question may be the result of a very real concern.
As others have said, you should expect evildoers to be using your site. Of particular concern with poorly design web applications, are SQL injection attacks. The ids themselves aren't an issue but if your backend is building a string of SQL, you could have issue. For example if your PHP code is taking that parameter and creating this SQL:
SQL = 'select * from product where id ='.$_GET['id']
Executing this SQL would be a major issue if someone changed their browser to call this page:
/product.php?id=1;DELETE FROM USERS;--
...you could end up with an empty database table.
Every language has its own way of protecting from this kind of thing, so make sure you are doing it the right way. For example, see this SO question How can I prevent SQL injection in PHP?
See https://www.owasp.org/index.php/SQL_Injection for more info
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I have a form with a text field a user can edit, which will create a page on the website containing the text entered. How can I ensure the resulting page doesn't show anything malicious, no links, images or code, just raw text? Currently from php I'm using htmlspecialchars(), and when displaying the text on the page it's within xmp tags. Is that enough, or should I explicitly do things like validating against script tags etc?
edit: This question is different to the suggested question, because I'm not using sql.
edit 2: I accepted strip_tags. I'm now validating user input from php with htmlspecialchars(strip_tags("input")), and wrapping in xmp tags when displayed.
You can use strip_tags - it will remove everything in tags. http://php.net/manual/en/function.strip-tags.php
First of all: use prepared statments for your database storing, updating etc etc...
Second: You should escape the output using htmlspecialchars() function, It will just convert special characters to HTML entities, so if you put a script tag in there, It will not run.
Unless you want your users to post code just like here in StackOverflow, you can just use strip_tags() function as #user2182349 pointed out.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 9 years ago.
Improve this question
How can I submit any kind of symbols to php and update it into my database tables? When I use some symbols ('!##$%^&*()_+=), it does not update the database table.
Can anybody help me?
You can use the htmlspecialchars() in which you can find the documentation here.
http://us.php.net/htmlspecialchars
Use function htmlentities()
The values will not be stored in the database as they are like ('!##$%^&*()_+=) but this function will change your " to " and other characters respectively.
Keep aware yourself of SQL Injection and XSS. If you do not filter your inputs properly then your code will be vulnerable to script kiddies.
You could use the htmlentities() function. It's the best solution I think.
If you really really don't want to use this function for some reason you can always change the column type to text instead of varchar.
Edit: sorry for using the wrong function. You guys are right. Maybe mysql_real_escape_string() does the job but probably it would only take care of the quotations.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
I don't understand, I transferred my files to new hosting and now I can get SQL injection, even if I use mysql_escape_string or addslashes. Before that, I never could get an SQL injection. What's wrong? Please help, I am going crazy.
edit: There is no SQL injection if I use ", but it gives SQL injection, if I use '. My head will explode really soon...
I thinks that mysql_real_escape_string is the function you want to use to protect your application from SQL injection....
Also make sure magic quotes are off...
It is very hard to craft code that escapes/sanitizes inputs to a point where they would be safe to submit directly to a SQL database. What you really should do to make use of Parameterized Queries in your code for all interactions with your database. This allows your database to determine what should be considered "command" and what should be considered "data" so that injected SQL into the "data" will still be seen at data.
Read more at OWASP's excellent discussion about this topic.
You may have had insecure code at the old host, and you just didn't know about it until you put the code at the new host, and people started attacking it there for whatever reason.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 4 months ago.
Improve this question
I am using codeigniter php MVC framework to develop a web application. I have an input textarea that I would like to validate the input on. Basically it is similar to the textarea that I am typing in right now for stackoverflow, minus most (maybe all) of the formatting features that it has. Is there a simple built in way of doing this in codeigniter? If not, what would be the best way to approach this? Basically I want the input filtered and formatted properly both before writing to the database and also for retrieving the text for display on the page. I assume I would need all the basic regex checks and character escaping (like double quotes etc.) as well as sql injection protection. Thanks in advance!
you can use the same SO editor or markdown or a regular WYSIWYG for user's input.
Regarding security or sql injection, look at html purifier. you have a nice comparative here that can help you to see which one is the best for you... remember that more rules to check usually means more overhead
What you're trying to do sounds more like sanitizing your input, not validating. If you use CodeIgniter's ActiveRecord functions, you will be protected from SQL injections. For everything else, you'll have to write on your own code, probably in a function in your model before you send it to the database.
CodeIgniter has its own Form Validation library. See link text.
It "... provides a comprehensive form validation and data prepping class that helps minimize the amount of code you'll write."
Of course, it is server-side validation. You might want to look at jQuery's Validation plugin for your client-side validations. See link text.