PHP - Non-destructive Input Sanitization

Question

I have a TextArea on my website which I write the input into my database.

I want to filter this TextArea input, but without removing any HTML tags or other stuff.

In short, I want to sanetize and securize the input before I write it into my database, but I want the entry to be intact and unmodified when I take back the entry from the database and write it on the website.

How can I achieve this?

Joe · Accepted Answer · 2011-03-03 02:09:03Z

3

If you want to preserve the data character for character when it's written back to the website try:

$stringToSave = mysql_real_escape_string($inputString);

Then when retrieving it from the database:

$stringToPutOnPage = htmlentities($databaseString);

If you want the html to actually be read as html (be careful about XSS) you can just use:

$stringToSave = mysql_real_escape_string($inputString);

Edit: It would seem that best practice is to sanitize the string for html after retrieving it from the database and not before. Thanks for the comments, I will have to change my method.

edited Mar 3, 2011 at 2:09

answered Mar 3, 2011 at 1:38

Joe

3,80131 silver badges28 bronze badges

Sign up to request clarification or add additional context in comments.

3 Comments

deceze Over a year ago

Never further post-process any strings after they've gone through mysql_real_escape_string! SQL escaping is always the last thing you do before plugging the value into a query, and is pointless at best in any other circumstance.

Delan Azabani Over a year ago

You shouldn't escape the HTML when putting it into the database. It makes more sense to escape it for display; right before you print the HTML.

deceze Over a year ago

@Jonathan Let me point out that this is not a good solution. You should not store HTML-escaped strings in your database. It is not necessary to avoid SQL injection, and it's bad practice. You should escape your strings according to the output medium. I.e., HTML escaping is only necessary when putting the strings into an HTML document, so only do it then. If you decide to output the values anywhere else, say in a JSON context, you've just dug yourself into a hole by "hard coding" your content for output into HTML.

Hamish · Accepted Answer · 2011-03-03 01:31:37Z

3

If you mean you simply want to make it safe to store in your database all you need to do is use the database specific escaping method, for example mysql_real_escape_string. Of course, that doesn't secure you from XSS attacks, but if you want to retrieve and display it unmodified you don't have a choice.

answered Mar 3, 2011 at 1:31

Hamish

23.4k8 gold badges57 silver badges67 bronze badges

4 Comments

Rasika Over a year ago

Better to use mysql_real_escape_string as mysql_escape_string is now deprecated.

Hamish Over a year ago

yeah was fixing that as you commented :D

Rasika Over a year ago

To retrieve and display use strip_slashes()

Jonathan Rioux Over a year ago

mysql_escape_string is DEPRECATED.

deceze · Accepted Answer · 2011-03-03 03:54:50Z

It's really simple:

To avoid SQL injection, mysql_real_escape_string your values before concatenating them into an SQL query, or use parameterized queries that don't suffer from malformed strings in the first place.
To avoid XSS problems and/or messed up HTML, HTML escape your values before plugging them into an HTML context.
JSON escape them in a JSON context, CSV escape them in a CSV context, etc pp.

All are the same problem, really. As a very simple example, to produce the string "test" (I want the quotes to be part of the string), I can't write the string literal $foo = ""test"". I have to escape the quotes within the quotes to make clear which quotes are supposed to end the string and which are part of the string: $foo = "\"test\"".

SQL injection, XSS problems and messed up HTML are all just a variation on this.
To plug a value that contains quotes into a query, you have the same problem as above:

$comment = "\"foo\"";  // comment is "foo", including quotes
$query = 'INSERT INTO `db` (`comment`) VALUES ("' . $comment . '")';
       // INSERT INTO `db` (`comment`) VALUES (""foo"")

That produces invalid syntax at best, SQL injection attacks at worst. Using mysql_real_escape_string avoids this:

$query = 'INSERT INTO `db` (`comment`) VALUES ("' . mysql_real_escape_string($comment) . '")';
       // INSERT INTO `db` (`comment`) VALUES ("\"foo\"")

HTML escaping is exactly the same, just with different syntax issues.
You only need to escape your values in the right context using the right method. To escape values for HTML, use htmlentities. Do that at the time it's necessary. Don't prematurely or over-escape your values, only apply the appropriate escape function in the right context at the right time.

Collectives™ on Stack Overflow

PHP - Non-destructive Input Sanitization

3 Answers 3

3 Comments

4 Comments

Comments

Hot Network Questions

Collectives™ on Stack Overflow

3 Answers 3

3 Comments

4 Comments

Comments

Related