All geek questions in one place

PHP - non-destructive input sanitation

I have a TextArea on my website that I enter into my database.

I want to filter out this TextArea input, but without removing any HTML tags or other materials.

In short, I want to systematize and protect the input data before I write it to my database, but I want the record to be intact and not changed when I return the record from the database and write it on the website.

How can i achieve this?

+3
source share
3 answers

If you want to save the data symbol for the symbol when you return it to the website, try:

$stringToSave = mysql_real_escape_string($inputString);

Then, retrieving it from the database:

$stringToPutOnPage = htmlentities($databaseString);

, html html ( XSS), :

$stringToSave = mysql_real_escape_string($inputString);

: , html , . , .

+3

, , , , escaping, , mysql_real_escape_string. , XSS, , .

+2

:

  • SQL-, mysql_real_escape_string SQL- , .
  • XSS / HTML, HTML , HTML.
  • JSON JSON, CSV CSV ..

. "test" ( , ), $foo = ""test"". , , : $foo = "\"test\"".

SQL-, XSS HTML- - . , , , :

$comment = "\"foo\"";  // comment is "foo", including quotes
$query = 'INSERT INTO `db` (`comment`) VALUES ("' . $comment . '")';
       // INSERT INTO `db` (`comment`) VALUES (""foo"")

, - SQL-. mysql_real_escape_string :

$query = 'INSERT INTO `db` (`comment`) VALUES ("' . mysql_real_escape_string($comment) . '")';
       // INSERT INTO `db` (`comment`) VALUES ("\"foo\"")

HTML escaping is exactly the same, only with various syntax issues.
You only need to avoid your values ​​in the right context using the right method. To avoid HTML values, use htmlentities. Do it at the right time. Avoid premature or excessive values ​​of your values, use only the appropriate evacuation function in the right context at the right time.

+1
source

Source: https://habr.com/ru/post/1795914/

More articles:


All Articles