In PHP when submitting strings to the database should I take care of illegal characters using htmlspecialchars() or use a regular expression?

by

There are no “illegal” characters for the database. Database that cannot store some characters is a nonsense. There are some service characters, like quotes, used to delimit strings. These characters should be just escaped, not eliminated.

To send a query to the database, you have 2 options:

  1. Build a query usual way, to make it look exactly as SQL query you can run in sql console.
    To do it, one should understand a whole set of rules, not just “use mysql_real_escape_string”.
    Rules such as:

    • Strings should be both enclosed in quotes and escaped. That’s the only meaning of escaping: It’s just escape delimiters! (and some other characters – string termination char and escape character itself). Without surrounding quotes mysql_real_escape_string is just useless.
    • Numbers should be cast to it’s type explicitly. Though while data numbers can be threaten just like strings, there are some numbers, like LIMIT clause parameters, which cannot be escaped and can be only cast.

  2. To send query and data separately.
    This is most preferred way as it can be shortened to just “use binding”. All strings, numbers and LIMIT parameters can be bound – no worry at all.
    Using this method, your query with placeholders being sent to database as is, and bound data being sent in separate packets, so, it cannot interfere.
    It is just like code and data separation. You send your program (query itself) separated from the data.

But!

Everything said above covers only data part of the query.
But sometimes we have to make our query even more dynamic, adding operators or identifiers.
In this case every dynamic parameter should be hardcoded in our script and chosen from that set.
For example, to do dynamic ordering:

$orders  = array("name","price","qty"); //field names
$key     = array_search($_GET['sort'],$orders)); // see if we have such a name
$orderby = $orders[$key]; //if not, first one will be set automatically. smart enuf :)
$query   = "SELECT * FROM `table` ORDER BY $orderby"; //value is safe

or dynamic search:

$w     = array();
$where="";

if (!empty($_GET['rooms']))     $w[]="rooms="".mesc($_GET["rooms'])."'";
if (!empty($_GET['space']))     $w[]="space="".mesc($_GET["space'])."'";
if (!empty($_GET['max_price'])) $w[]="price < '".mesc($_GET['max_price'])."'";

if (count($w)) $where="WHERE ".implode(' AND ',$w);
$query="select * from table $where";

In this example we’re adding to the query only data entered by user, not field names, which are all hardcoded in the script.
For the binding the algorithm would be very similar.

And so on.

More Related Contents:

  1. How can I prevent SQL injection in PHP?
  2. SQL injection that gets around mysql_real_escape_string()
  3. How can I sanitize user input with PHP?
  4. Are PDO prepared statements sufficient to prevent SQL injection?
  5. Is “mysqli_real_escape_string” enough to avoid SQL injection or other SQL attacks?
  6. Reference: What is a perfect code sample using the MySQL extension? [closed]
  7. The ultimate clean/secure function
  8. Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
  9. When should I use prepared statements?
  10. How can I prevent SQL injection with dynamic tablenames?
  11. Examples of SQL Injections through addslashes()?
  12. SQL injections in ADOdb and general website security
  13. Is mysql_real_escape_string() broken?
  14. how to replace special characters with the ones they’re based on in PHP?
  15. Shortcomings of mysql_real_escape_string?
  16. Do I have to guard against SQL injection if I used a dropdown?
  17. Special characters in PHP / MySQL
  18. UTF-8 encoded html pages show � (questions marks) instead of characters
  19. MySQL Prepared Statements
  20. php mail special characters utf8
  21. Change foreign characters to their roman equivalent
  22. How to display special characters in PHP
  23. What does mysql_real_escape_string() do that addslashes() doesn’t?
  24. Is mysqli_real_escape_string safe?
  25. Working with GD ( imagettftext() ) and UTF-8 characters
  26. Browser displays � instead of ´
  27. Do I have to use mysql_real_escape_string if I bind parameters?
  28. json_encode produce JSON_ERROR_UTF8 from MSSQL-SELECT
  29. Is mysql_real_escape_string enough to Anti SQL Injection?
  30. What is the PDO equivalent of function mysql_real_escape_string?

Leave a Comment