Eliminating malicious form input

mrgrammar

I have a form where visitors input their information and it is stored in a database. That data can later be displayed on a web page. I want to make sure that no code (malicious or otherwise) can be input in the form, therefore stored in the database, which then executes when displayed.

Will strip_tags() take care of removing all code (malicious or not) or do I need to use a different function?

bpat1434

One easy thing you could do is just change "<" to "<" and ">" to ">". That won't be interpreted as code by the browser, but will still show it as "<" and ">".

Strip_tags will work, just limit the number of tags you allow and you should be fine. Typically your basic is: "" for formatting.

DekkoN

hmm , if so , what does the mysql_real_escape_string do?
does it work aswell ?
also i cant seem to find where strip_tags should be put , if u could mention i'd be grateful.
thx ahead =]

laserlight

what does the mysql_real_escape_string do?

Read the PHP Manual on [man]mysql_real_escape_string/man. It helps to prevent SQL injection, but does not help to prevent malicious clientside code injection. For that you need to use strip_tags(), [man]htmlspecialchars/man or [man]htmlentities/man, depending on what is needed.

where strip_tags should be put

You would use it before inserting into the database. The potential problem with strip_tags() is that you could end up removing text that should not be removed.

DekkoN

does the other mentioned 2 functions cause the same potential problem as the strip_tags?
do all of the 3 need to be used together or just choosing one of them would be enough ?
thanks again =]

laserlight

does the other mentioned 2 functions cause the same potential problem as the strip_tags?

No.

do all of the 3 need to be used together or just choosing one of them would be enough ?

If you intend to display text from user input, you should use either htmlspecialchars() or htmlentities(). Generally, I would not use strip_tags().

DekkoN

If you intend to display text from user input, you should use either htmlspecialchars() or htmlentities(). Generally, I would not use strip_tags().

same goes for saving text from user input in database ?

bpat1434

User input should have htmlspecialchars() and/or htmlentities() to sanitize the HTML or clientside code. To help save your site from SQL injection, use mysql_real_escape_string().

So really your inputs should look like:

mysql_real_escape_string(htmlspecialchars(htmlentities(string input)));

DekkoN

bpat1434 wrote:
User input should have htmlspecialchars() and/or htmlentities() to sanitize the HTML or clientside code. To help save your site from SQL injection, use mysql_real_escape_string().

So really your inputs should look like:

mysql_real_escape_string(htmlspecialchars(htmlentities(string input)));

alright you've helped me again =]
ty man.