Skip to content Skip to sidebar Skip to footer

Decoding Mysql_real_escape_string() For Outputting Html

I'm trying to protect myself from sql injection and am using: mysql_real_escape_string($string); When posting HTML it looks something like this:

You could successfully reverse the escaping by replacing those escaped characters with their unescaped forms.

mysql_real_escape_string() shouldn't be used to sanitize HTML though... there's no reason to use it before outputting web page data. It should only be used on data that you're about to put into the database. Your sanitization process should look something like this:

Input

  1. Accept user input from a form or HTTP request
  2. Create database query using mysql_real_escape_string()

Output

  1. Fetch data out of the database
  2. Run any user-defined data through htmlspecialchars() before printing

Using a different database driver such as MySQLi or PDO will allow you to use prepared statements, which take care of escaping most inputs for you. However, if you can't switch or take advantage of those, then definitely use mysql_real_escape_string()... just only use it before inserting data.

Solution 2:

You've got everything messed up.

mysql_real_escape_string doesn't need any decoding!

If you get your data back with slashes, it means that it has been escaped twice. And instead of stripping out the extra slashes you just shouldn't to add them in the first place.

Not to mention that whatever escaping is obsoleted and you ought to

use prepared statements

instead of whatever escape string.

So, never escape, never decode. The problem solved.

Solution 3:

mysql_real_escape_string is used to prevent SQL injection when storing user provided data into the database, but a better method would be to use data binding using PDO (for example). I always recommend using that instead of messing with escaping.

That being said, regarding your question on how to display it afterwards - after the data is stored, when you retrieve it the data is complete and valid without any need to be "unescaped". Unless you added your own escaping sequences, so please don't do that.

Solution 4:

use the following function to remove slashes while showing on HTML page:

stripslashes();

eg. $html=stripslashes($html); OR $html=stripslashes($row["fieldname"]);

Solution 5:

Not sure what is going on with the formatting as I can see it but your html form

<spanclass="\&quot;className\&quot;"><pclass="\&quot;pClass\&quot;"id="\&quot;pId\&quot;"></p></span>

should be simply;

<spanclass="className"><pclass="pClass"id="pId"></p></span>

When you get it back, before you put it into the database you escape it using mysql_real_escape_string() to make sure you do not suffer an sql injection attack.

Hence you are escaping the values ready for place the text is going next.

When you get it out of the database ( or display ANY of it to users as html) then you escape it again ready for that that place it is going next (html) with htmlentities() etc to protect your users from XSS attacks.

This forms the EO part of the mantra FIEO, Filter Input, Escape Output, which you should tatoo on the inside of your eyelids.

Post a Comment for "Decoding Mysql_real_escape_string() For Outputting Html"