Reputation: 4508
How to secure $_POST of php without making quotes and other things
I have tinyMCE editor which is passing data to php processing file.
If I use $variable=$_POST(['tinyMCE_textarea']); everything is ok.
But I want to secure it so nothing bad will come from user who entered some data into textarea.
And when I use $variable=mysql_real_escape_string($_POST(['tinyMCE_textarea']));
The result becomes dammaged with some \" signs. So how can I add maximum security without changing the variable ?
Upvotes: 2
Views: 3317
Answers (4)
Reputation: 17530
use prepared statement or PDO.
use htmlentities() or covert atleast '<' and '<' '"' to "& gt;" and so ..
Upvotes: 1
Reputation: 18005
TinyMCE is able to clean up data, however it is critical that you don't rely on client-side stuff.
To secure data for database, you use mysql_real_escape_string(). The result is intended for use with mysql and not for display.
To secure data for display, you use the htmlspecialchars() function. htmlentities() also works but would convert all applicable entities, so for security you only need htmlspecialchars().
So the simplified picture is
.// Insert to database
mysql_query("INSERT INTO data (content) VALUES ('" . mysql_real_escape_string( $_POST['tinyMCE_textarea'] ) . "')");
.// Display to user - doesn't matter whether the data is from post or database
echo htmlspecialchars ( $_POST['tinyMCE_textarea'] );
Upvotes: 4
Reputation: 4976
Just remember to escape the user input before outputting (using for example htmlentities()) and escape the string before storing it in your database.
Upvotes: 0
Related Questions
- How to secure a $_POST submit in wordpress
- Why mysql_real_escape_string doesn't work on $_POST?
- How to securely POST php variables with jquery?
- Bare minimum to secure a PHP form
- Escaping Form Data
- Input secure by PHP
- PHP Security - $_POST - Injection
- How could I make this PHP $_POST more secure? -Or is it secure already?
- How to secure this PHP form
- PHP form auto escaping posted data?