Prevention of SQL injection & form robustness

StevenJ

HI,

I have seen this topic in a number of places, but after searching have not found a thread that is obvious to me, that will help me.

I have a form that anyone can fill in and register a comment on a photograph. The functionality works ok, but I want to make my code & application robust (not just like a php book or dreamweaver produces).

the variables are posted, for example

$_POST['comment']

and the value of the above variable are inserted into the database. For information The field has a type of "BLOB".

before i post the value into the database, I actually put the value 'comment' through htmlspecialchars() like

htmlspecialchars($_POST['comment'], ENT_QUOTES)

so if the user inputs any special characters, then these are converted to the & (for example) equivalent, and potsed into the databse.

when the user then views the comment, in the html source code, it shows verbatim what is in the database field - but displays the browser displays exactly what I want becuase the browser interprets the & as an &.

Have I done this right? What advice can you give me so that no damage can be done to either the layout or the database by what a user might post?

laserlight

Have I done this right?

Somewhat, but you have also made it such that your data is now automatically assumed to be HTML code. This is rather inflexible.

What advice can you give me so that no damage can be done to either the layout or the database by what a user might post?

Use the appropriate escaping mechanism for your database API. For example:
PDO extension: use prepared statements
MySQLi extension: use prepared statements
MySQL extension: use [man]mysql_real_escape_string/man

Now, when you retrieve the data from the database, and decide that you want to display it in a context where it will be interpreted as HTML, then you use htmlspecialchars().