Menu
I am a bit confused, there are so many functions in PHP, and some using this, some using that. Some people use: htmlspecialchars(), htmlentities(), strip_tags() etc
Which is the correct one and what do you guys usually use?
Is this correct (advise me a better one, if any):
$var = mysql_real_escape_string(htmlentities($_POST['username'])); This line can prevent MySQL injection and XSS attack??
Btw, is there any other things I need to pay attention besides XSS attack and MySQL injection?
EDIT
To conclude:
If I want to insert string to the database, I do not need to use htmlentities, just use the mysql_real_escape_string. When displaying the data, use htmlentities(), is that what you all mean??
Summarize:
mysql_real_escape_string used when insert into databasehtmlentities() used when outputting data into webpagehtmlspecialchars() used when?strip_tags() used when?addslashes() used when?Can somebody fill in the question mark?
377
The only sure way to prevent SQL Injection attacks is input validation and parametrized queries including prepared statements. The application code should never use the input directly. The developer must sanitize all input, not only web form inputs such as login forms.
PHP has a specially-made function to prevent these attacks. All you need to do is use the mouthful of a function, mysql_real_escape_string . mysql_real_escape_string takes a string that is going to be used in a MySQL query and return the same string with all SQL injection attempts safely escaped.
PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context.
Code injection is a technique that a threat actor uses to input or inject malicious code which takes advantage of a validation flaw in the software. Code injection is also known as remote code execution (RCE).
What is PHP Code Injection? A code injection attack exploits a computer bug caused by processing invalid data. The attacker introduces (or injects) code into the vulnerable computer program and changes the execution. Successful code injections can introduce severe risks. For example, it can enable viruses or worms to propagate.
Code injectionis an attack that delivers a malicious code payload through a vulnerable attack vector. The aim is to compromise the integrity of the intended target application. The attacker can send executable PHP code or JavaScript that is executable either on the runtime side of the application or within the end user’s browser.
Using PDO PDO or PHP Data Objects are very useful – probably the most effective in preventing SQL Injection Attacks. PDO also uses prepared statements and binds values at runtime. You can check out this link herefor more tutorial on PDO.
This is sufficient if you want to prevent a simple injection attack, but there are no doubt many other security issues you should be aware of when developing a web app, another major one being cross site request forgeries. Show activity on this post. I wouldn't use htmlentities () when inserting data into the database or querying the database.
mysql_real_escape_stringused when insert into databasehtmlentities()used when outputting data into webpagehtmlspecialchars()used when?strip_tags()used when?addslashes()used when?
htmlspecialchars is roughly the same as htmlentities. The difference: character encodings.
Both encode control characters like <, >, & and so on used for opening tags etc. htmlentities also encode chars from other languages like umlauts, euro-symbols and such. If your websites are UTF, use htmlspecialchars(), otherwise use htmlentities().
htmlspecialchars / entities encode the special chars, so they're displayed but not interpreted. strip_tags REMOVES them.
In practice, it depends on what you need to do.
An example: you've coded a forum, and give users a text field so they can post stuff. Malicious ones just try:
pictures of <a href="javascript:void(window.setInterval(function () {window.open('http://evil.com');}, 1000));">kittens</a> here If you don't do anything, the link will be displayed and a victim that clicks on the link gets lots of pop-ups.
If you htmlentity/htmlspecialchar your output, the text will be there as-is. If you strip_tag it, it simply removes the tags and displays it:
pictures of kittens here Sometimes you may want a mixture, leave some tags in there, like <b> (strip_tags can leave certain tags in there). This is unsafe too, so better use some full blown library against XSS.
To quote an old version of the PHP manual:
Returns a string with backslashes before characters that need to be quoted in database queries etc. These characters are single quote ('), double quote ("), backslash () and NUL (the NULL byte).
An example use of addslashes() is when you're entering data into a database. For example, to insert the name O'reilly into a database, you will need to escape it. It's highly recommeneded to use DBMS specific escape function (e.g. mysqli_real_escape_string() for MySQL or pg_escape_string() for PostgreSQL), but if the DBMS you're using does't have an escape function and the DBMS uses \ to escape special chars, you can use this function.
The current version is worded differently.
73
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
