Stupid-proof my database inputs

firecircle

I need help to stupid- (and hack-) proof my database inputs.

What I have is an image-gallery in a table, (im_id, im_title, im_description, im_filename etc...) I've modified it from an image-gallery tutorial online, however, I fear the tutorial was not very thorough. As I get more familiar with the code, I can tell it's definitely missing the required security, but I'm not sure what.

Image info is added to the database via a form (method="post"):
<textarea name="txtTitle" cols="50" rows="5" id="txtTitle">

if the form ISSET, then:
$imgTitle = $_POST['txtTitle'];

and then finally, the table is updated with no further data manipulation:
$sql = "INSERT INTO tbl_image (im_title) VALUES ('$imgTitle')";

Later, the data is output as such:
<?php echo $image['im_title']; ?>
<?php echo htmlspecialchars($image['im_description']); ?>

Why would they use htmlspecialchars only on the im_description field and not on the title field (both are text?). Is this something that all output fields should be wrapped in?

And... the code chokes on apostrophe's, how do I fix that?

NogDog

The "chokes on apostrophes" may be due to depending on "magic_quotes_gpc" being enabled. To make your code magic-quotes-neutral, you can do something like:

<?php
if(get_magic_quotes_gpc())
{
   function undo_magic_quotes(&$val, $key)
   {
      $val = stripslashes($val);
   }
   array_walk_recursive($_GET, 'undo_magic_quotes');
   array_walk_recursive($_POST, 'undo_magic_quotes');
   array_walk_recursive($_COOKIE, 'undo_magic_quotes');
}
// rest of code...
?>

You then need to make sure that all user-supplied values are properly escaped for the DBMS you are using. If using the MySQL functions, you should use [man]mysql_real_escape_string/man. If using the MySQLi or PDO extension, you can instead use prepared statements with bound input variables (see [man]mysql_stmt_bind_param[/man]).

As far as the htmlspecialchars(), I would agree that it probably should be used for both outputs, unless there are factors I'm unaware of which would argue against it.