Hi

I am wondering if one of the PHP pros on here could answer this question for me.

When validating user input to be put into a database like mysql, i use mysql_real_escape_string() but i also use strip_tags(), htmlentities() and trim() . My question is should i just be using mysql_real_escape_string() and if then displaying the user data on a webpage is use strip_tags() htmlentities() before it is displayed on a webpage? , i always run data through mysql_real_escape_string of course before going into database.

I am noticing quite a few scripts just use mysql_real_escape_string() when placing the data into a database and then before the data from database is output on a webpage it goes through strip_tags() and htmlentities() etc. I am not sure what is the best way to go about this, for example if i only use mysql_real_escape_string() that means i could have potential dangerous code in the database like code tags with malicious code etc that could cause harm, obviously this won't be a problem if the correct checks are done before it is outputted on a webpage but am confused how others valdiate data and in which way.

Could someone please clarify what is the best practice way for me please?

example i have guestbook, i run the $_POST data through strip_tags, htmlentities, mysql_real_escape_string before it is put in the database then i can display it on the webpage knowing no harmful code is in database, yet i see scripts doing it the opposite way and just using mysql_real_escape_string() when placing data into database and sanitizing the data then before it is displayed on a webpage like a guestbook for example.

But i do all of it before going into the database, i'm confused over it.

Security is always my top priority and just need proper clarification on this from you PHP pros out there, i am not sure what is best practice as i see so many bad scripts as i do good so never know which is the correct way.

Thanks
PHPLOVER

Recommended Answers

All 5 Replies

Anyone please?

sorry if it sounds confusing.

Thanks
PHPLOVER

You want to filter input and escape on output.
You could also add another layer of filtering to the output if you by chance needed the data in a different way than how it is stored in the database.

e.g. If the data in the database is a validated and filtered html string and you just want the plain-text representation in a particular scenario, you could then filter it coming from the database and remove any html, then escape that output to the user.

These are some articles that explain why this is the golden rule:
http://terrychay.com/article/php-advent-security-filter-input-escape-output.shtml
http://en.wikipedia.org/wiki/Secure_input_and_output_handling

This also has some good information:
http://phpsec.org/projects/guide/

Hi,

Thanks for the useful info.

So am i rite in thinking that i should filter input like if i am expecting just letters and numbers then i should ensure only letters and numbers have been inputted, if not obviously give an error like not valid etc but if valid then that means it has been filtered and passed the filter check so pass along to database or wherever. Then when i want to display that information on a webpage i should escape the data being outputted, obviously if you only accepted letters and numbers then that won't need escaping on output as a user could not have been able to add malicious code when filtering the data like code tags and code between the code tags, but i should escape output if i for example have a guestbook where user could enter any type of characters.

Am i rite in what i have said?

Thanks
PHPLOVER

I suggest you use the validation classes from the Zend Framework or PEAR's class. Using these classes can help you write your scripts faster since you now no longer have to do extensive validation coding to your script. I suggest you use Zend Framework classes over PEAR since they have done an amazing job at giving users an amazing ammount of documentation that gives you a nice introduction to the classes and how to use them. As well as tons of code examples to follow.


PEAR's Validation Classes

Zend Framework Valuation

Good luck too you!

-CyberSpatium

Hi,

Thanks for the useful info.

So am i rite in thinking that i should filter input like if i am expecting just letters and numbers then i should ensure only letters and numbers have been inputted, if not obviously give an error like not valid etc but if valid then that means it has been filtered and passed the filter check so pass along to database or wherever. Then when i want to display that information on a webpage i should escape the data being outputted, obviously if you only accepted letters and numbers then that won't need escaping on output as a user could not have been able to add malicious code when filtering the data like code tags and code between the code tags, but i should escape output if i for example have a guestbook where user could enter any type of characters.

Am i rite in what i have said?

Thanks
PHPLOVER

Thanks for replying but i still want to know if i am rite by what i have said in my quote above? . It's still important for me to understand.

Thanks
PHPLOVER

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.