www.webdeveloper.com
Results 1 to 7 of 7

Thread: does htmlspecialchars() remove sql injection?

  1. #1
    Join Date
    Oct 2007
    Posts
    154

    does htmlspecialchars() remove sql injection?

    I'm using htmlspecialchars on my textarea and want to keep the html format while removing sql injection. Is htmlspecialchars good for this?

  2. #2
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,537
    No. htmlspecialchars() is for filtering output to be sent to a web browser. For data to be output via SQL to a database you want to use a function that escapes certain characters that are "special" to SQL, preferably one specific to the DBMS in question, such as mysql_real_escape_string() for MySQL.
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  3. #3
    Join Date
    Oct 2007
    Posts
    154
    Are there any other techniques other than mysql_real_escape_string to remove sql injection? It tends to remove my text formatting such as bullets and tabs which I have copy pasted into the textarea.

    I'm using wysiwyg for an online texteditor. I'm not sure if it's safe already.
    Last edited by sc_king; 10-30-2007 at 06:19 PM.

  4. #4
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,537
    When used as intended, mysql_real_escape_string() does not change any text that gets saved in the database. All it does is "escape" certain characters that would otherwise have special meaning in SQL. The escaping character (a back-slash) never actually makes it into the data, so if your data is being modified in some way, it is likely due to something else (such as the dreaded "magic_quotes_gpc" setting), or the way you are later outputting the data after retrieving it from the database. (Note that the preceding may not hold true if using mysql_real_escape_string() with a DBMS other than MySQL.)
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  5. #5
    Join Date
    Oct 2007
    Posts
    154
    Do you know if wysiwyj text editor is secure for sql injection and other security risks?

  6. #6
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,537
    I do not "know", but I highly doubt it. I strongly suggest you read Essential PHP Security. (It's available at that site as an E-book if you don't want to spend the money on the paper version.) Also spend a little time carefully reading the PHP manual pages about SQL Injection, mysql_real_escape_string(), and "magic quotes".
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  7. #7
    Join Date
    Oct 2007
    Posts
    154
    Thanks!

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles