0

So on my website I have a field for users where they can set a profile description of a max 100 letters. My problem is that they can use html for their profile description! I use a as input for their description and is put directly into the mysql database.

Here is the code for displaying their profile description

<div id="mid-profile-desc">
  <p><?php echo $userProfileDesc;?></p>
</div>

<!--String is just this from database: $userProfileDesc = $row["profiledesc"];-->

But with this users when setting their profile description they can use languages such as html,css,javascript,php & a lot more. They can also control my database with that.

So how can I disable users from using all of those? I could probably just ban the "<" and ">" letters but that is probably not safe either. Any good ways of doing this with it being safe as well?

Improve this question
5
  • 2
    1) Read up on SQL injection and how to prevent it. 2) Learn how to sanitize your data, since you don't want others manipulating your site. Commented Jan 26, 2018 at 17:29
  • 1
    Learn about XSS and HTML escaping. Commented Jan 26, 2018 at 17:30
  • 1
    You have an answer @Heine Commented Jan 26, 2018 at 17:31
  • For SQL injection I just use mysqli_escape_string which I have read that works? I definetely need to learn more about website security because the fact that people can literally delete my whole database right now just by using profile descriptions really scares me, I have turned off the function to change profile descriptions for now Commented Jan 26, 2018 at 17:32
  • No, read the post I linked. mysqli_escape_string is NOT safe. Using prepared statements and parameter binding is the safest way to prevent 1st level injection. Commented Jan 26, 2018 at 17:51

2 Answers 2

Reset to default
2

The user input is currently displayed without filter. This means that, although people cannot use php code, they can insert any html tags or javascript into your website, and using xss attacks.

The solution for that is htmlspecialchars

<?php echo htmlspecialchars($userProfileDesc); ?>

It is generally not a problem to have unescaped html in your database, however you do need to worry about things like sql injections. Use parametrized queries to avoid those.

Improve this answer
Sign up to request clarification or add additional context in comments.

10 Comments

Why are you encoding the output?
Just to add a bit of followup to this answer. htmlspecialchars() will do the magic of preventing any html or scripts from running. See the documentation for more info. (Ideally, you should be using this method, along with storing the raw input from the user in the database)
@FrankerZ htmlspecialchars() in an encode function. This should be used bedore store. htmlspecialchars_decode() for decode the output.
Oh, I thought they could use php too, then it's not as worse as I thought at least. I just tested using <?php echo '<p>Hey</p>' ?> which displayed like Hey,-> or something and when I think about it thats what it says when it doesn't work, but thank you I will add the htmlspecialchars and check it out
@LeventeOtta In general, I only escape for the current output target. There is little to no added value in escaping html before it goes into the database - the database does not parse html so it has nothing to fear from some html tags. Instead, databases can be harmed through sql injections: to prevent that we use parametrized queries.
|
1

First: Use htmlspecialchars before store, and decode before output.

Second: Use PDO - statement sql queries.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.