CODEWITHSUNDEEP
phpmysqlhtmlpurifier
TaG
TaG

Reputation: 611

How do I integrate HTML Purifier to filter user-submitted data?

I have this script that collects data from users and I want to check their data for malicious code (such as XSS and SQL injections) by using HTML Purifier, but how do I add it to my PHP form submission script?

Here is my HTML Purifier code:

 require_once '../../htmlpurifier/library/HTMLPurifier.auto.php';

 $config = HTMLPurifier_Config::createDefault();
 $config->set('Core.Encoding', 'UTF-8'); // replace with your encoding
 $config->set('HTML.Doctype', 'XHTML 1.0 Strict'); // replace with your doctype
 $purifier = new HTMLPurifier($config); 

 $clean_html = $purifier->purify($dirty_html);

Here is my PHP form submission code:

if (isset($_POST['submitted'])) { // Handle the form.

    $mysqli = mysqli_connect("localhost", "root", "", "sitename");
    $dbc = mysqli_query($mysqli,"SELECT users.*, profile.*
                                 FROM users 
                                 INNER JOIN contact_info ON contact_info.user_id = users.user_id 
                                 WHERE users.user_id=3");

    $about_me = mysqli_real_escape_string($mysqli, $_POST['about_me']);
    $interests = mysqli_real_escape_string($mysqli, $_POST['interests']);



if (mysqli_num_rows($dbc) == 0) {
        $mysqli = mysqli_connect("localhost", "root", "", "sitename");
        $dbc = mysqli_query($mysqli,"INSERT INTO profile (user_id, about_me, interests) 
                                     VALUES ('$user_id', '$about_me', '$interests')");
}



if ($dbc == TRUE) {
        $dbc = mysqli_query($mysqli,"UPDATE profile 
                                     SET about_me = '$about_me', interests = '$interests' 
                                     WHERE user_id = '$user_id'");

        echo '<p class="changes-saved">Your changes have been saved!</p>';
}


if (!$dbc) {
        // There was an error...do something about it here...
        print mysqli_error($mysqli);
        return;
}

}

Upvotes: 1

Views: 1076

Answers (2)

bobince
bobince

Reputation: 536615

I wanted to check their data for malicious code like XSS and SQL injections by using HTML Purifier

That's not what HTML Purifier is meant for.

HTML Purifier is for when you need to allow the user to submit actual [X]HTML for inclusion in a page, but you don't want them to have full access to all the potentially-dangerous features of HTML.

It is not a substitute for proper use of htmlspecialchars when outputting a string of text into an HTML page. In the vast majority of cases where you want use input to be text strings and not HTML markup, you want to escape those < and & signs to &lt; and &amp;, not treat them as markup and mangle them in an attempt to make that markup ‘clean’.

It also does nothing at all against SQL injection. You must continue to use mysqli_real_escape_string, or go to parameterised queries.

Upvotes: 1

easement
easement

Reputation: 6139

if ($dbc == TRUE) {
        //add the stuff you want to clean here.
        $about_me = $purifier->purify($about_me);
        $interests = $purifier->purify($interests);

        $dbc = mysqli_query($mysqli,"UPDATE profile 
                                     SET about_me = '".mysql_real_escape_string ($about_me)."', interests = '".mysql_real_escape_string ($interests)."' 
                                     WHERE user_id = '$user_id'");

        echo '<p class="changes-saved">Your changes have been saved!</p>';
}

You should also think about escaping the data before entering it in the DB using mysql_real_escape_string()

You can also combine mysql_real_escape_string($purifier->purifiy($interests)), but I didn't consolidate to make it more readable.

Upvotes: 2

Related Questions