SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Guru afridy's Avatar
    Join Date
    Mar 2007
    Posts
    966
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    htmlentities function problem

    Hai folks

    table postion_ids

    pid
    ----
    1
    2
    3
    4


    table positions

    pid|name
    ----------------
    1 | carpenter
    2 | Foreman Insp. & Valves Rooms

    User selects "Foreman Insp. & Valves Rooms" from a selection list in a form.

    now i validate his input gainst htmlentities() and mysql real escape string() to prevent sql injections.
    then i compare his input with our 'table positions".

    problem is it does not match even though input and table data are identical
    but if i remove htmlentities() from the validations, it compare correctly.

    how to solve this issue? coz i need htmlentities() in place as a security messure.

  2. #2
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    No, you have not understood something fundamental.

    htmlentities is an escaping mechanism for when the next target environment is a html stream, for a webpage, it escapes potentially dangerous characters which could lead to XSS attack.

    mysql_real_escape_string is an escape mechanism for when the next target environment is mysql, it escapes potentially dangerous characters that could lead to an SQL injection style attack.

    I have heard of some saying they use both, so that their data is always ready to be displayed on a webpage, but this would clearly depend upon all their data being html escaped, from when they originally put it in there.

    This is not the common practice though AFAICT.

    If you HAD put html escaped data in your table then your query would match, as far as I can see.

  3. #3
    Foozle Reducer ServerStorm's Avatar
    Join Date
    Feb 2005
    Location
    Burlington, Canada
    Posts
    2,699
    Mentioned
    89 Post(s)
    Tagged
    6 Thread(s)
    Just to add... normally htmlentities() should be used on the output/display of your data. People who have stored htlentities() code in their db, often complain about not being able to work with the data (other than display it on an Web Page) afterwards . So escape on output filter on input. Use mysql_real_escape_string before inserting/updating your tables; or bind parameters using PDO or MYSQLI (I personally prefer the PDO binding style but other like MYSQLI's)

    Steve
    ictus==""


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •