Jump to content

Recommended Posts

Hello,

 

I'm writing a script and I have a function called secure to secure any incoming data that will be placed into the database:

 

//This function performs security checks on all incoming form data
function secure($data){

//MySQL Real Escape String
$data = mysql_real_escape_string($data);

//Strip HTML tags
$data = strip_tags($data, '');

return $data;

}

 

I've also done some digging and found that there is a setting called magic quotes which can mess with data input.  On my host for PHP info I have:

 

magic_quotes_gpc On

magic_quotes_runtime Off

magic_quotes_sybase Off

 

First question is, does this mean that magic quotes is on or off on the server I am using, that is will the data I am working with be affected by magic quotes?

 

Secondly, are there any changes I need to make to my secure() function to deal with servers that have magic quotes enabled?

 

Looking on my database the data entered such as ' is being escaped such as \' and I wanted to make sure that my secure() function is working and this is not just a result of the magic quotes.

 

Thanks,

Brandon

If this is to secure it before insertion into a db then remove strip tags, then it is done.

 

If it is to secure before printing on the page then remove mysql_real_escape_string, and change strip_tags($data,"") to htmlentities($data);

 

And yes magic quotes can affect the input by adding slashes to it (on quotation marks), but it can be disabled.

Google php manual magic quotes

http://uk2.php.net/manual/en/security.magicquotes.disabling.php

If this is to secure it before insertion into a db then remove strip tags, then it is done.

 

If it is to secure before printing on the page then remove mysql_real_escape_string, and change strip_tags($data,"") to htmlentities($data);

 

And yes magic quotes can affect the input by adding slashes to it (on quotation marks), but it can be disabled.

Google php manual magic quotes

 

This sends it to a database which will then have the info pulled onto a page.  From a security standpoint, is there any risk to leaving strip_tags in there?  Also, looking at htmlentities it looks like it converts html to something else.  For my script I do not want ANY html to show, even when the data is passed back to the page, so would strip tags be better in that case?

There is not a secuirty issue with strip_tags but htmlentities will be quicker (i think).

 

Htmlentities converts any tags into html special chars, e.g. a space might become &nsbp; (or something :s)

 

Well, with htmlentities if a user inserted html into a form, what would appear on the site, the HTML or the conversion such as &nsbp would appear instead of a space?

 

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.