4 replies to this topic

[bbqroast]

Hello!
I am preparing my first (live) website, and I want tight security so I have decided to make every effort to keep my PHP code secure. As code injection is a serious risk I have decided to write a string validator:

function safeString($str){

htmlentities($str, ENT_QUOTES, "UTF-8");

if (mysql_real_escape($str) == false) {

$str = "ERROR! Mysql escape error.";

}

return $str;

}

This function will be called for all strings inputted into the script. So can anyone see a way around it, also is there a reverse function for mysql_real_esc... that I can call before outputting the data onto a webpage??

[Alexander]

There are various escaping methods for various applications. MySQL will require escaping of command characters, however this is generally an issue with PHP - where a string is manipulated in to allowing these command characters to change the meaning of the query.

If you use bound (prepared) statements you can "universally" bypass issues like this so that they are useless to the database command language. Verifying if "johnny 'a = foo" is a proper name however to be stored, is up to you, however it will do no harm.

For a client side web browser, a name such as <big>Rupert</big> will be an issue, so an HTML entity translation can help - however you will be bloating your database with useless entities. If you have rich documents with a lot of formatting, converting to entities beforehand may bloat the database - you may wish to do this each page load if available data is a commodity.

Quote

also is there a reverse function for mysql_real_esc... that I can call before outputting the data onto a webpage??

If used properly, it will render an apostrophe or quote as an apostrophe or quote. If you were to "reverse" this behaviour on the resulting page, you will be stripping every valid quotation as they are the same as before escaping.

You may wish to modularise your global escaping functions, keep database escaping to one function, entity escaping to another, etc. only if there is significant work to justify a custom wrapping function.

Alexander.

[bbqroast]

If used properly, it will render an apostrophe or quote as an apostrophe or quote. If you were to "reverse" this behaviour on the resulting page, you will be stripping every valid quotation as they are the same as before escaping.

Ok now I am confused, doesn't it simply insert a / before quotes and such, also I am not to worried about HTML entities bloating my database.

[Alexander]

bbqroast said:

Ok now I am confused, doesn't it simply insert a / before quotes and such

The database will not actually store " \' " unless you have encoded incorrectly, there is no reason to "unescape" the text upon displaying.

The only reason why we escape at all, is because " ' " means something in SQL and it must know if it is an entity (character) or delimiter (of a string.)

[bbqroast]

Oh I see now! MySQL just ignores the \ completely (and doesn't handle the character after it as 'special'). I was just wondering because on another user's demo I entered a ' in the description and when I looked at it after submitting it was a /' (on the page).