Reputation: 235
Strip Tags, remove other characters and mysql_real_escape_string is it enough?
I'm working on a couple of pages to manage data coming from a textarea which the user can use to write some content through a basic editor WYSIWYG. In this textarea I abilitate few tags. I'm wondering if the following process is going to be enough to protect myself from spam and other hidden dangers related to sql query injection and so on.
My steps
function string_db ($value)
{
$value = (get_magic_quotes_gpc()) ? stripslashes($value) : $value;
return mysql_real_escape_string($value);
}
$content = string_db(trim($_POST['conten']));
$content = strip_tags($content, '<p><a><b><u><i>'); // The 5 tags allowed
$content = str_replace("<", "", $content);
$content = str_replace(">", "", $content); //In case someone try to type html entities instead of html code
//INSERT DATA IN DB
On the page where I display the data previously saved in the db I use:
echo html_entity_decode($contentFromDb);
Is this enough? IS there a list of tests to do in order to prove the effectiveness?
Thanks a lot
Upvotes: 0
Views: 1024
Answers (1)
Reputation: 50540
You should use PHP's PDO functionality instead. Using this you create prepared statements, which will help eliminate SQL injection vulnerabilities.
$DBH = new PDO("mysql:host=$host;dbname=$dbname", $user, $pass);
$STH = $DBH->("INSERT INTO table (col1, col2, col3) values (?, ?, ?);");
# assign variables to each place holder, indexed 1-3
$STH->bindParam(1, $col1var);
$STH->bindParam(2, $col2var);
$STH->bindParam(3, $col3var);
# insert one row
$col1var = "My first value"
$col2var = "Value 2";
$col3var = "Someone's 3rd value";
$STH->execute();
# insert another row with different values
$col1var = "My first value; Query 2"
$col2var = "Value 2 -- of the second query";
$col3var = "Someone's 3rd value;#This one has weird characters";
$STH->execute();
In the above example, we connect to the database and set the database handle as $DBH. Then we prepare our query and use unnamed placeholders (the ?s). Next we bind our PHP variables to the unnamed placeholders. Finally, we set our variables and execute the query. This can be repeated with new values, simply by changing the data in the PHP variables.
Upvotes: 1
Related Questions
- When to use Strip_tags and when to use htmlspecialchars()
- Why is my data not stripping properly with mysql_real_escape_string?
- PHP strip tags are not working
- Strip Out All Unwanted Characters
- Strip tags from text?
- PHP strip_tags except certain characters
- Strip_tags or mysql_real_escape_string or add_magic_quotes in php
- Can I use mysql_real_escape_string together with strip_tags?
- strip_tags not working
- Security of strip_tags() and mysqli_real_escape_string()