By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
459,258 Members | 1,672 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 459,258 IT Pros & Developers. It's quick & easy.

htmlspecialchars doesn't appear to be working

100+
P: 155
I'm using this:
[PHP]<?php
if (isset($_POST['submitted']))
{

$city = htmlspecialchars($_POST['city']);

if (!get_magic_quotes_gpc())
{
$city = addslashes($city);
}

$query = "INSERT INTO table VALUES ('', '$city');
$result = mysql_query($query) or die('There was an error');
if ($result)

echo "<br>Entry Added!";
footer(); // Include the HTML footer.
exit();
mysql_close();
}
?>

The form goes here.[/PHP]

Isn't this suppost to change the @ sign and put slashes before single quotations (')? When I look into my database I don't see where these have been changed. I'm not seeing a problem on the front side, but could it become a problem?

I've not allowed a user to submit data directly into my database before. I've always used a form-mail to have the user information sent to me, then I would put the data into the database. However, there is a time delay in doing it this way and I'd like the user to be able to edit his/her's own information. Just want to have some sense of security though.

Why is this showing up in red?
Jul 28 '07 #1
Share this Question
Share on Google+
3 Replies


kovik
Expert 100+
P: 1,044
Isn't this suppost to change the @ sign and put slashes before single quotations (')? When I look into my database I don't see where these have been changed. I'm not seeing a problem on the front side, but could it become a problem?
No, it is not. htmlspecialchars() is meant to convert HTML entities into their encoded counterparts. For example, the ampersand (&) would become &amp; and the less than sign (<) would become &lt;. It should not be used when putting information into the database; only when taking information out of it. It is meant to filter out any HTML input so that you can avoid abuse and XSS (cross-site scripting) and users can't use HTML against you, such as the <script> tag.

If you want to escape data going into the database, you need to use mysql_real_escape_string(). It filters information for your SQL queries and should be used on all of your data that you put into your queries unless you typecast it to an integer. It will escape all necessary characters so that the query does not fail and you are not vulnerable to SQL injection.

The change will not be visible if you look in the database. MySQL displays escaped characters the way that it should.

Why is this showing up in red?
It is showing up in red because you forgot to close the quotes on the query.
Jul 28 '07 #2

100+
P: 155
I don't get the "A "Best Practice" query" example on the mysql_real_escape_string website and wouldn't know how to use it with my form.

They have database fields named name, description, but use these variables $product_name, $product_description . Then use these values %s, %s, %d.

For simplicity sake they should have kept to using the same variable they started out with throughout the example.

They use something different in each step of the process. As a novice, I can't read this example and implement it without -- knowing -- that it would churn out error after error after error.

Expand|Select|Wrap|Line Numbers
  1. Is there a complete, yet simple way to implement mysql_real_escape_string and whatever else is necessary, to allow a user to submit data directly to the database and have some level of assurance that your server and website will not be destroyed?
I doubt my website will ever reach the level of Google or Yahoo, so I probably don't need the same level of security that they have. I just want to institute a small job board to use in my area.

I would like for a user to be able use <i></i>, <b></b>, <u></u> and maybe even <li></li> tags. A little HTML to dress up the ad a little if they would like.


I found this:
[PHP]function safe_sql( $value )
{
$value = nl2br($value);
$value = trim(strip_tags($value,'<br>'));
// Stripslashes
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
// Quote if not integer
if (!is_numeric($value)) {
$value = mysql_real_escape_string($value);
}
return $value;
} // End of Function[/PHP]

I read where all these is a good idea: trim, strip_tags and mysql_real_escape_string. The above uses these. How would I use this function or rather how would I need to write all my field variables to take advantage of this function - $value?
Jul 28 '07 #3

kovik
Expert 100+
P: 1,044
Firstly, that function is disgusting and pointless. It's basically a way to clean up magic_quotes if they are on prior to escaping, but magic_quotes should be dealt with separately. They are turned off by default.

I'm not sure what part of the examples you don't get. mysql_real_escape_string() is a function. It's that simple. You pass all values through it before inputting something into the database, and you'll be generally safe from SQL injection.

Expand|Select|Wrap|Line Numbers
  1. mysql_query("INSERT INTO `table` SET `name` = '" . mysql_real_escape_string($_POST['name']) . "';");
Jul 29 '07 #4

Post your reply

Sign in to post your reply or Sign up for a free account.