Reputation: 3539
PHP Sanitising and escaping special characters
I'm new to PHP, and I've got a form where people can submit values to a DB. Later those values will either be injected using JS, or be placed straight inside an HTML document.
I'm using the following to sanitise my inputs:
function sanitise($str){
$string = htmlspecialchars($str);
$string = mysql_real_escape_string($str);
return $string;
}
The problem with this is that inside my DB, the inputs that have quotes look like this: input's. This means if I insderted that value inside JS, the quotation mark would screw everything up.
I tried doing this to avoid the quote:
function sanitise($str){
$string = htmlspecialchars($str);
$string = mysql_real_escape_string($str);
return addslashes($string);
}
This converts my DB entry to something that looks like this: input\'s. This works within JS but if I was to inject that value directly inside <div></div> then the backslash will still be present... I'm confused as to what I'm doing wrong - how could I sanitize my inputs and at the same time universally escape special characters for both HTML and JS?
Upvotes: 1
Views: 2652
Answers (1)
Reputation: 30555
Sanitisation of data means different things at different steps of your workflow. You also don't want to do it repeatedly or you will be propagating escape characters.
The modern approach is to try to work with data in the correct representation. That means if you have a name O'Niell then that's the actual content of the string. Usually this means data coming from the web browser can be used as provided. (Just make sure that magic quotes are disabled.)
It is when you pass the data to other layers that it is sanitised. The simplest case is checking it is a number just before you use it as a number, such as to look up a database row. The next simplest is using functions such as mysqli_real_escape_string right at the point you are assembling the SQL and no earlier. (Using prepared statements will do this for you, BTW.) Putting data into a URL or into Javascript is likewise done the same: you escape the data at the point you are emitting it.
Doing this as late as possible solves two problems. The first is that you don't have the problem of working with escaped data. The second is that then you don't double-escape the data.
Upvotes: 1
Related Questions
- PHP Sanitize Data
- A better SQL string sanitization function
- Sanitise UTF-8 in PHP
- Escaping characters before insert into database
- Is there a way to add both stripslashes and mysql escape string to sanitize data?
- Escape special characters from the database - MySql
- How to sanitize data in php in order to avoid SQL injection?
- Why doesn't mysql_real_escape_string consider these characters as dangerous?
- PHP Filter for special characters before passing to sql database
- Sanitize user input destined for database in PHP