0

I have been using:

if ($_POST['Comments']!=""){
  $comments = mysql_real_escape_string($_POST['Comments']);
}else{
  $comments = "";
}

ever since a user added and apostraphy to their data and it broke my sql statement. I thought this also secured the data at the same time. But just now I got a submission and in the comment field in the database I see:

 /r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r
<a href="http://seowebsite.com">seohelp</a>

And the email I get when someone submits had the text with the links actually working.

I thought mysql_real_escape_string() was supposed to get rid of all that?

Any suggestions? I was thinking of doing a function that does all the string cleaning for me in a few different steps. But if there is a way to secure in just one step that would be great.

Improve this question
1
  • in fact, no html tag can be considered insecure in terms of storing data in mysql database. Commented Mar 16, 2011 at 19:03

1 Answer 1

Reset to default
2

mysql_real_escape_string() only protects* you against SQL Injection, not against Cross-Site Scripting (XSS).

* mysql_real_escape_string() doesn't behave properly when used in conjunction with SET NAMES because it is unaware of the charset being used. Use mysql_set_charset() instead.

In order to protect yourself against XSS, you must also use htmlentities() or htmlspecialchars() either at insert time (before mysql_real_escape_string()) or at display time.

$escaped = htmlspecialchars($string, ENT_QUOTES, 'UTF-8');

If you want to allow some HTML content, use HTML Purifier with a whitelist of elements and attributes you want to allow.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I wouldn’t call that a bug but a false expectation.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.