SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Addict
    Join Date
    Aug 2006
    Posts
    288
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    htmlspecialchars + addslashes enough for security?

    I got a script that takes variables submitted from a form, passes them from an htmlspecialchars and addslashes functions, and then stores them to the database.

    Is this enough? Or is such thing vulnerable to SQL injections and other attacks?

  2. #2
    SitePoint Wizard
    Join Date
    Dec 2004
    Location
    At My Desk!!
    Posts
    1,642
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    mysql-real-escape-string is a really good function to use. I use this mainly
    "Am I the only one doing ASP.NET in Delphi(Pascal)?"

  3. #3
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Don't run your variables through htmlspecialchars before storing them in the database - it's unnecessary and it inflates your storage requirements. Use htmlspecialchars when you display the data (to prevent XSS attacks).

    If you are using MySQL as your database, use mysql_real_escape_string instead of addslashes; otherwise use addslashes. Or, better yet, use PDO to access your database (whether you use MySQL or not).

    In addition, if you are expecting a number, make sure it's a number; if you are expecting an e-mail address, make sure it's an e-mail address. Simply escaping data is not the same as validating it - you must ensure that the data is what you expect, otherwise you will get unexpected (and potentially dangerous) results when you attempt to use the data.
    PHP questions? RTFM
    MySQL questions? RTFM

  4. #4
    SitePoint Addict
    Join Date
    Aug 2006
    Posts
    288
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you are using MySQL as your database, use mysql_real_escape_string instead of addslashes;
    The addslashes is in this function which the variables are passed through when entered in the database:

    PHP Code:
        function MySqlIn($value) {
            
    $value str_replace("\"""'"$value);
            
            if (
    get_magic_quotes_gpc() ) {
                return 
    $value;
            } else {
                return 
    addslashes($value);
            }
        } 
    Should I replace the whole MySqlIn or just the addslashes with mysql_real_escape_string?

  5. #5
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Aye, just use mysql_real_escape_string.
    PHP questions? RTFM
    MySQL questions? RTFM


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •