Posted by Rik on 07/05/06 09:45

Harold Crump wrote:
>>> My question - is it enough to pass all user input through the
>>> htmlentities() function call and store the resultant output?
>>
>> No. Use mysql_real_escape_string(), allthough that's not a 100%
>> secure
>> either:
>>
http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html
>
> My understanding is that htmlentities replaces all types of quotes
> with
> its HTML equivalent - doesn't that get rid of the whole problem with
> escaping, or not escaping, quotes?

Nope. The problem is, it's possible to post 'abnormal' characters to your
script. Don't assume they will always use you simple HTML-form to post data,
people with trouble in mind can post stuff htmlentitities() won't replace.

> What's the issue with storing the &quote in the database?

Nothing, you surely ca nmysql_real_escape_string(htmlentities($string)) if
you want that.

> Why bother with mysql_real_escape_string and all its inherent issues
> if
> we can completely eliminate quotes from making their way into the SQL
> statement?

htmlentities() won't guarantee that.

>> Prepared statements seem the way to go. Use mysqli if available.
> Aren't they available only with version 5 and above?
> I am still on an older version.

Unfortunately yes.

>>> Also, I would like to replace all semi-colons in input with
>>> something
>>> else - but I am not sure what and how.
>> Why?
> Semi-colons are statement terminators in SQL.
> They are commonly used in SQL injection attacks to end the current
> statement and insert a malicious statement.

Like Jerry said: properly escaping the string will make that harmless, and
your users still able to post the normally valid ; without unexpected
results.

Grtz,
--
Rik Wasmus

[Back to original message]