My users are allowed to insert anything into my database.
So using a whitelist / blacklist of characters is not an option.
I'm not worried (covered it) about the database end (SQL injection), but rather code injection in my pages.
Are there any situations where htmlspecialchars()
wouldn't be sufficient to prevent code injection?
You use htmlspecialchars EVERY time you output content within HTML, so it is interpreted as content and not HTML. If you allow content to be treated as HTML, you have just opened the door to bugs at a minimum, and total XSS hacks at worst.
The htmlspecialchars() function is used to converts special characters ( e.g. & (ampersand), " (double quote), ' (single quote), < (less than), > (greater than)) to HTML entities ( i.e. & (ampersand) becomes &, ' (single quote) becomes ', < (less than) becomes < (greater than) becomes > ).
Using htmlspecialchars() function – The htmlspecialchars() function converts special characters to HTML entities. For a majority of web-apps, we can use this method and this is one of the most popular methods to prevent XSS. This process is also known as HTML Escaping.
PHP's htmlspecialchars function is for escaping characters that have special meaning to a browser, such as angle brackets, to make them appear as normal characters instead of being interpreted as HTML markup. It has nothing to do with SQL or preventing SQL injection.
No, it's not sufficient in all situations. It highly depends on your codebase. For example, if you use JavaScript to make certain AJAX requests to a database, htmlspecialchars()
will sometimes not be enough (depending where you use it). If you want to protect cookies from JavaScript XSS, htmlspecialchars()
will also not be good enough.
Here are some examples of when htmlspecialchars()
may fail: https://www.owasp.org/index.php/Interpreter_Injection#Why_htmlspecialchars_is_not_always_enough. Your question is also highly dependent on what database you're using (not everyone uses MySQL). If you're writing a complex applicaton I highly suggest using one of the many frameworks out there that abstract these annoying little idiosyncrasies and let you worry about the application code.
htmlspecialchars will suffice. With <
and >
being converted to <
and >
you cannot include scripts anymore.
Plain htmlspecialchars
is not sufficient when inserting user text into single quoted attributes. You need to add ENT_QUOTES
in that case and you need to pass the encoding.
<tag attr='<?php echo htmlspecialchars($usertext);?>'> //dangerous if ENT_QUOTES is not used
When inserting user text into javascript/json as string you'll need additional escaping.
I think it fails for stange character sets too. But if you use one of the usual charsets UTF-8, Latin1,... it will work as expected.
Using htmlspecialchars
is sufficient when inserting inside HTML code. The way it encodes the characters makes it impossible for the resulting text to “break out” of the current element. That way it can neither create other elements, nor script segments etc.
However in all other situations, htmlspecialchars
it not automatically enough. For example when you use it to insert code within some JavaScript area, for example when you fill a JavaScript string with it, you will need additional methods to make it safe. In that case addslashes
could help.
So depending on where you insert the resulting text, htmlspecialchars
gives you either enough security or not. As the function name already suggests, it just promises security for HTML.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With