Jump to content

[SOLVED] htmlspecialchars() & htmlentities()

Andy17

By Andy17
in PHP Coding Help

 Share

Recommended Posts

Andy17 Regular Member

Andy17

Posted
Posted

Hey guys,

 

 

I have just started coding a login system using PHP and MySQL. The system itself is irrelevant, but what I do want to ask is whether I should add htmlentities() to the variables below or not (and why/why not).

 

<?php

$email = sha1(mysql_real_escape_string(htmlspecialchars(trim(strip_tags($_POST['email'])))));
$password = sha1(mysql_real_escape_string(htmlspecialchars(trim(strip_tags($_POST['password'])))));

?>

 

Also, how secure is the above? Did I leave something out that leaves the script with a security breach? If it can improved somehow, I'd be happy to learn how. So basically I just wanted to know why one would add htmlentities() and why it improves the security. I did read the article at PHP.net but did not understand it 100%. I do understand what it does, just not why/when it's good/isn't good.

 

 

Thank you in advance.

Link to comment
Share on other sites
roopurt18 Advanced Member

roopurt18

Posted
Posted

There are generally two times when you escape data. 

 

The first time is when you are putting it into the database.  In this case you use the appropriate escape method for your database, which is mysql_real_escape_string() for MySQL.  This replaces characters that are dangerous for the database with ones that aren't and protects from hackers abusing your HTML forms to inject arbitrary SQL into your database.

 

The second time you escape data is when you have taken it out of the database and are going to send it to the user's browser.  In this case it is a good idea to use htmlentities() and / or striptags().  This protects innocent users from abusive users who like to embed JavaScript or other dangerous content into their data with your PHP forms.

 

You do not typically use htmlentities() or striptags() when inserting data into the database; as a rule, valid data should go into the database intact.  That is you should be inserting it as close to the original form as possible and not calling htmlentities() or striptags() on it, but only mysql_real_escape_string() so that it doesn't harm the database.

 

In terms of encrypting, hashing, or masking, when you do these depends on the content of the data and the level of protection needed.  Passwords should be hashed before being inserted into the database.  Credit card info should be encrypted before going into the database and masked to look like XXXX XXXX XXXX 1234 when displaying to the user, assuming you're saving credit card info to begin with.

Link to comment
Share on other sites
Andy17 Regular Member

Andy17

Posted
  • Author
Posted

Thanks guys. So basically I don't need to use trim, htmlentities or strip_tags since I am not inserting the data into the database (just checking whether it matches or not), assuming that I am not displaying it anywhere on my website... Is that correct?

 

And on the registration page, I would use mysql_real_escape_string when inserting and htmlentities(), strip_tags() and htmlspecialchars() when pulling out information.

 

I do, however, still not quite understand the difference between htmlspecialchars() and htmlentities(); I have used htmlspecialchars() and inserted <strong>test</strong> into a forum and displaying it, and it whiped out the tags just fine. That was with strip_tags() too, though. htmlentities() just displays it (in my test only "test" was displayed, the tags were just wiped out).

Link to comment
Share on other sites
Daniel0 Advanced Member

Daniel0

Posted
Posted

Things like 

$password = sha1(mysql_real_escape_string(htmlspecialchars(trim(strip_tags($_POST['password'])))));

are also completely redundant. sha1 will always return a hexadecimal number, and there is no input to sha1() that is unsafe.

 

htmlentities is the same as htmlspecial chars pretty much

No they're not. Check the manual for the differences.

Link to comment
Share on other sites
roopurt18 Advanced Member

roopurt18

Posted
Posted
And on the registration page, I would use mysql_real_escape_string when inserting and htmlentities(), strip_tags() and htmlspecialchars() when pulling out information.

 

That's essentially it.

 

INSERTING INTO THE DATABASE

1) Does the data need to be protected (i.e: passwords, credit cards)?

  a) If yes, encrypt or hash the data using your appropriate algorithm.

2) Call the appropriate escape function for your database (i.e: mysql_real_escape_string())

3) Insert into the database

 

EXTRACTING DATA FROM THE DATABASE TO DISPLAY IN A WEB PAGE

1) Select the data from the database

2) Does the data need to be protected (i.e: show XXXX-XXXX-XXXX-1234 for credit cards, show ********* for passwords)

  a) If yes, protect the data however necessary

3) Call the appropriate escape function for display as HTML (i.e: htmlentities(), striptags())

4) Display the HTML

 

EXTRACTING DATA FROM THE DATABASE TO DISPLAY IN AS PLAIN TEXT, OR IN A NON-HTML REPORT (PDF, DOC, XLS)

1) Select the data from the database

2) Does the data need to be protected (i.e: show XXXX-XXXX-XXXX-1234 for credit cards, show ********* for passwords)

  a) If yes, protect the data however necessary

3) We no longer have to escape for output

4) Produce the output (i.e: plain text, XLS, DOC, PDF)

 

 

Link to comment
Share on other sites
Daniel0 Advanced Member

Daniel0

Posted
Posted

1) Does the data need to be protected (i.e: passwords, credit cards)?

  a) If yes, encrypt or hash the data using your appropriate algorithm.

 

Not quite enough for CC info, I'm afraid:

https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf

 

The lawyers from Visa, MasterCard, AmEx, et al. are going to rape you if you don't follow those specs.

Link to comment
Share on other sites
Andy17 Regular Member

Andy17

Posted
  • Author
Posted

Sorry if I'm a little slow here... Wouldn't it be best to just always use htmlentities() (instead of htmlspecialchars()) when pulling out data for display on a website?

 

Thanks for all the replies, I learned a thing or two. :)

 

Also, I'm not going to be storing with credit cards! Not only do I not have enough experience with PHP, I do not know how to work with SSL either. It would also take a long time for me to feel comfortable storing information like that.

Link to comment
Share on other sites
roopurt18 Advanced Member

roopurt18

Posted
Posted

Sorry if I'm a little slow here... Wouldn't it be best to just always use htmlentities() (instead of htmlspecialchars()) when pulling out data for display on a website?

 

Read the user comments on:

http://www.php.net/htmlspecialchars

 

They will help explain when to use one or the other.  If you have further questions feel free to post them afterward.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.