2

My head's exploding with this one, I'm looking for a concise step-by-step for escaping data submitted by a user before outputting to other users' browsers.

The process: 1) User 1 submits an ajax form (jquery) with a text field, sent as JSON. 2) PHP escapes the string and puts it in a DB using mysqli_real_escape_string(). 3) User 2 loads a page which requests the data via a jquery ajax request, receiving as JSON. The string is presented as an option in a form's select box.

I want to make sure that user 1 can't submit malicious javascript or html - in other words, I want all characters to be properly escaped. I'd like guidance on the steps to achieve this, what would need to be changed in the code below?

On submitting the form: (no escaping)

$.ajax({
    url: '/ajax/insert.php', dataType: 'json',
    data: {str: $("input").val()}, success: function(){}
)};

PHP insert into DB: (escaped)

mysqli_query(
    "insert into tbl (str) values ('"
        .mysqli_real_escape_string($link, $_REQUEST['str'])
    ."')");

JQuery get string, put into drop down (simplified) (put escaping here?):

$.ajax({
    url: '/ajax/get.php', dataType: 'json',
    data: {}, 
    success: function(json){
        $("select").html("<option>" + json.str + "</option>");
    }
});

PHP for retrieving from DB (put escaping here?):

$res = mysqli_query($link, "select str from tbl where X");
echo json_encode(mysqli_fetch_assoc($res));

Thanks

Improve this question
1
  • mysqli_real_escape_string must do all the escaping, IMO Commented Sep 26, 2012 at 18:30

2 Answers 2

Reset to default
2

I decided just to do this:

$.ajax({
    url: '/ajax/get.php', dataType: 'json',
    data: {}, 
    success: function(json){
        var options = $("select");
        options.html("");
        $.each(json, function(i, v){
            options.append($("<option />").val(v.item_id).text(v.str));
        });
    }
});
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Another option:

When you insert new data to the database use filtering e.g.:

    /**
     * "Clean" posted vars from special characters with ENT_QUOTES
     */
function filter_spec($str_filter_value)
{
        if(!is_array($str_filter_value))
        {
        $str_filter_value = htmlspecialchars($str_filter_value, ENT_QUOTES);
        $str_filter_value = addslashes($str_filter_value);
        return $str_filter_value;
        }
}


    /**
     * Decode special characters in string encoded with filter_spec() (htmlspecialchars())
     * WARNING: If $safe = false This will decode all special characters to normal state
     * THE SAFE WAY: $safe = true will return the output in safe way. Default option is $safe=true.
     */
function filter_spec_decode($str_filter_value, $safe=true)
{
    if(!is_array($str_filter_value))
    {
        if($safe == true)
        {$str_filter_value = str_replace('&amp;', '&', $str_filter_value);}
        elseif ($safe == false)
        {$str_filter_value = htmlspecialchars_decode($str_filter_value, ENT_QUOTES);}
        $str_filter_value = stripslashes($str_filter_value);
        return stripslashes($str_filter_value);
    }
}

Your INSERT string update should be:

$strToInsert = filter_spec($_REQUEST['str']);

Your output code from your DB should be:

$strFromDB = filter_spec_decode($res['str']); // This is with safe enabled

Hope this helps!

Improve this answer

2 Comments

Thanks - Wouldn't it be more appropriate to escape special characters using javascript when it's inserted into the select's html?
Escaping using Javascript is not recommended. The user can bypass your javascript escape function which will be client side. While server side is more secure and can't be manipulated by the client.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.