Question on preventing SQL with magic_quotes off and XSS with htmlentities
On my server I have magic_quotes turned off. When a user save content as article in my DB from a form, I use
$text = mysql_real_escape_string($_POST['text']);
to prevent SQL Injecion.
This is my input <img src="image.png"开发者_开发知识库></img>
and this is what it is saved in the DB <img src="image.png"></img>
When I echo htmlentities($row['text']);
i get <img src="image.png"></img>
printed on screen, on view source I get <img src="image.png"></img>
.
My questions are
- Isn't supposed to be saved in DB like
<img src=\"image.png\"></img>
to prevent SQL Injections ? - Is
htmlentities
is a good candidate to prevent XSS attacks? - Should I turn on magic_quotes?
Isn't supposed to be saved in DB like
<img src=\"image.png\"></img>
to prevent SQL Injections ?
No, SQL injections are widely misunderstood, mainly because they actually have nothing to do with SQL as they are just string manipulation. You don't need to alter the data you insert into the database, you only have to alter the string you send to the database server as query (unless you do the wise choice and use prepared statements instead of escaping the query string). The data, once stored, should be in its original state.
Is htmlentities is a good candidate to prevent XSS attacks?
Yes but htmlentities()
is good for sending data as output to the browser, not for storing it into the database (as the data from the DB might be used for something other than a web page).
Should I turn on magic_quotes?
No, you should use prepared statements.
- It seems that your magic quotes is enabled. Check it.
- There are a lot of articles about this but for quick starting don't allow to use javascript and external images.
Getting escaped data out of the database suggests it's been double-escaped - does your PHP have magic_quotes_gpc
turned on? If you want to sanitize HTML and allow only certain constructs you specify through, then I suggest using HTMLPurifier which'll get as strict or lax as you want.
Use mysql_real_escape_string and turn the quotes back to normal:
$text = str_replace('\"', '"', $row['text']); // Alternative one
$text = preg_replace("/X/", '"', $row['text']); // Alternative two. X needs to be \\", \\\" or \\\\", perhaps \\\\\"
Answers to updated questions:
Correct saving of data goes like this:
input -> php - > mysql_real_escape_string -> db -> php -> htmlspecialchars -> browser
精彩评论