PHP: Advice regarding how user input is "immunized"

I usually escape user input by doing the following:

htmlspecialchars($str,ENT_QUOTES,"UTF-8");

as well as mysql_real_escape_string($str) whenever a mysql connection is available.

How can this be improved? I have not开发者_如何转开发 had any problems with this so far, but I am unsure about it.

Thank you.

Data should be escaped (sanitized) for storage and encoded for display. Data should never be encoded for storage. You want to store only the raw data. Note that escaping does not alter raw data at all as escape characters are not stored; they are only used to properly signal the difference between raw data and command syntax.

In short, you want to do the following:

$data = $_POST['raw data'];
//Shorthand used; you all know what a query looks like.
mysql_query("INSERT " . mysql_real_escape_string($data));

$show = mysql_query("SELECT ...");
echo htmlentities($show);
// Note that htmlentities() is usually overzealous.
// htmlspecialchars() is enough the majority of the time.
// You also don't have to use ENT_QUOTES unless you are using single
// quotes to delimit input (or someone please correct me on this).

You may also need to strip slashes from user input if magic quotes is enabled. stripslashes() is enough.

As for why you should not encode for storage, take the following example:

Say that you have a DB field that is char(5). The html input is also maxlength="5". If a user enters "&&&&&", which may be perfectly valid, this is stored as "&&." When it's retrieved and displayed back to the user, if you do not encode, they will see "&&," which is incorrect. If you do encode, they see "&&," which is also incorrect. You are not storing the data that the user intended to store. You need to store the raw data.

This also becomes an issue in a case where a user wants to store special characters. How do you handle the storage of these? You don't. Store it raw.

To defend against sql injection, at the very least escape input with mysql_real_escape_string, but it is recommended to use prepared statements with a DB wrapper like PDO. Figure out which one works best, or write your own (and test it thoroughly).

To defend against XSS (cross-site-scripting), encode user input before it is displayed back to them.

If you only use mysql_real_escape_string($str) to avoid sql injection, make sure you always add single quotes around it in your query.

The htmlspecialchars is fine when parsing unsafe output to the screen.

For the database switch to PDO. It's much easier and does the escaping for you.

http://php.net/pdo