CODEWITHSUNDEEP
phpmysql
Bilal Tariq
Bilal Tariq

Reputation: 152

Storing user data in database with out Escaping

Most of my questions are theoretical in nature since I think "Great minds discuss Ideas" and clerks discuss syntax.

Anyways.. so here is the situation

I have a system which take input from user.BUT none of that input is used in queries (at all). This input contain a lot of code snippets. Now in the past i escaped the input and then stored it in database. I do not use adding and stripping slashes functions of any sort rather use my own procedures which use preg_replace like following

$data = preg_replace("/\;/", "&#59;", $data);//
$data = preg_replace("/</", "&lt;",   $data);
$data = preg_replace("/>/", "&gt;",   $data);
$data = preg_replace("/\"/", "&quot;",$data);
$data = preg_replace("/\(/", "&#40;", $data);

However following problems occurred.

At times the software will escape the data wrongly (since my software is not bug free) and I will have no way of finding what the actual data was. From time to time I update my escaping procedures and that means different inputs are escaped differently.

the user has an option to EDIT his post. thus it means that i have to present him the escaped data (or un escape the data) to prevent escaping a data twice...... SO finally i have come to the conclusion that I save un-escaped data from user directly into database. and escape it before Display (it has no other purpose.. no use in query etc). for any thing else i have the original data un changed.

My Questions::

Can un escaped user data in database still be dangerous even when not used in queries or escaped before display???

Is Escaping with slashes equal / better /different than escaping by chaging characters eg < into <..

If the data is properly escaped ( i mean all special characters) can it still be used for XSS attack. SQL injection is out of question.

Upvotes: 1

Views: 237

Answers (2)

Mike Brant
Mike Brant

Reputation: 71404

Yes it can be dangerous. The user could easily inject code to run his own queries on your database (even if you don't intend to query this data).

Upvotes: 0

Ignacio Vazquez-Abrams
Ignacio Vazquez-Abrams

Reputation: 799082

Never encode data for display until you are actually going to display it. When storing, encode for storage, when transmitting, encode for transmission, etc. The proper encoding at the proper time will handle these issues for you.

Upvotes: 12

Related Questions