Jump to content
xisto Community
Sign in to follow this  
Pankyy

Escaping Text

Recommended Posts

I have been wondering for a while now, running a htmlspecialchars($string) and a mysql_real_escape_string($string) would take care of any kind of 'damage' intended when it's user input?

For example, a board, the user can say whatever he wants, but he won't be able to enter more than plain text, meaning no harm intended to the mysql database(sql injections) and no change to the html in the text they entered (nor any php, javascript, etc.).

So, fitting all this in a function:

$string ="Whatever";function strip_things($string){$string = htmlspecialchars($string);$string = mysql_real_escape_string($string);return $string;									   }

Would that be it?

Share this post


Link to post
Share on other sites

I have been wondering for a while now, running a htmlspecialchars($string) and a mysql_real_escape_string($string) would take care of any kind of 'damage' intended when it's user input?

I did research once on the MySQLi extension for PHP, because i heard it automatically filters out the input. All i could find was that it just uses mysql_real_escape_string(). I still need to do more research on the subject, but if that is all MySQLi does, then i'm a bit amazed. It feels like there would be more.

Would that be it?

No, you should also filter out any white space. WordPress had a whitespace vulnerability once, if i remember correctly, where the exploiter could register themselves as an already existing user, even as users with administrative privileges. I heard MySQL in the background removes the white space itself. This may also imply that the way WordPress handled its logged-in users wasn't smart in its ways, as it implies that it retrieves the user's privileges based on the name of the user in a specific order, probably due to the fact that the developer thought multiple users with the same name cannot exist.
Either way, security is more than just filtering out input, especially if you're depending on another piece of software.

Share this post


Link to post
Share on other sites

I did research once on the MySQLi extension for PHP, because i heard it automatically filters out the input. All i could find was that it just uses mysql_real_escape_string(). I still need to do more research on the subject, but if that is all MySQLi does, then i'm a bit amazed. It feels like there would be more.

No, you should also filter out any white space. WordPress had a whitespace vulnerability once, if i remember correctly, where the exploiter could register themselves as an already existing user, even as users with administrative privileges. I heard MySQL in the background removes the white space itself. This may also imply that the way WordPress handled its logged-in users wasn't smart in its ways, as it implies that it retrieves the user's privileges based on the name of the user in a specific order, probably due to the fact that the developer thought multiple users with the same name cannot exist.

Either way, security is more than just filtering out input, especially if you're depending on another piece of software.


No, but don't worry about that. I'm just asking about the text input since the login system is already done and is separated from the text input one (meaning you can't do one without being logged, and there's no way to change that).

What do you mean by "white space"? A normal whitespace such as " " or some kind of vulnerability name that I don't know?

Share this post


Link to post
Share on other sites

What do you mean by "white space"? A normal whitespace such as " " or some kind of vulnerability name that I don't know?

Trailing spaces, yes. In your strip_things function, you would include rtrim($string). Looking at changelogs helps in figuring out how to avoid SQL injections or other attempts to obtain administrative privileges.

Share this post


Link to post
Share on other sites

So you want to strip clean of the numbers and non-alphanumerical data?Simply use Preg_Replace - which search for numbers and replace it with nothing?If thats what you mean...

Share this post


Link to post
Share on other sites

Nono, there is no problem with numbers and non-alphanumerical data, I was just saying to stop a sql injection and the insertion of a script tag or something like that, so users can't change font or something like that. But truefusion, what you say, first, I understand many sql injections, but I can't understand why a whitespace could be use to sql inject; and second, doesn't the mysql_real_escape_string($string) would take care of it already?

Share this post


Link to post
Share on other sites

But truefusion, what you say, first, I understand many sql injections, but I can't understand why a whitespace could be use to sql inject; and second, doesn't the mysql_real_escape_string($string) would take care of it already?

My memory wasn't so great when i was attempting to explain it from memory. But i managed to find the article concerning whitespace here. This should clarify everything.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.