The URL would be
would strip_tags() and mysql_real_escape_string() be enough?
"Enough sanitization" thoroughly depends on what environment you're talking about. Sanitization for MySQL should be considered entirely separate from sanitization for web output, and you should handle them separately to avoid a lot of hassle.
Sanitizing for MySQL
mysql_real_escape_string()
will sanitize a piece of data and make it safe to put inside an SQL query.Sanitizing for output
htmlspecialchars($val)
at output time will prevent any malicious tags from being rendered, because <
and >
characters are converted into their entity representations and not rendered as tag delimiters.ENT_QUOTES
modifier if you are outputting something that is inside an HTML element's quoted attribute, such as <input name="email" value="<?php echo htmlspecialchars($email,ENT_QUOTES); ?>" />
That should be all you need, unless you have special requirements. strip_tags()
shouldn't really be used for sanitization, as it can be fooled with badly formed HTML. Sanitization is a worthy goal, and if you can keep your contexts separate, you'll run into fewer problems with data manipulation between them.
It's probably safer and better to call htmlentities() on the string instead of counting on strip_tags().
strip_tags() won't remove html special chars like '"&
e.g., if your code is:
<img src="<?= strip_tags($myVar) ?>">
and
$myVar = '">something goes here<';
then you end up with:
<img src="">something goes here<">
Which is pretty obviously the root of an XSS hole; an actual exploit is left as an exercise for the reader.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With