Databases
StackOverflow2013
Postsdbo
POSanitizing text input before submitting to MySQL database
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POSanitizing text input before submitting to MySQL database
    primarykey
    data
    text
    <p>I'm currently working on making sure that text that is submitted into the database for a webapplication I am working on is sanitized properly before being submitted to the database, and then retrieved and displayed correctly. </p> <p>Ignoring the jumble of sanitizing functions that are currently being used (it is currently a mess and breaks things), this is what I plan on doing:</p> <ol> <li><p>Use CKEditor for text input. It automatically converts HTML tags/symbols their HTML entities.</p></li> <li><p>Utilize PDO prepared statements to submit the text to the database.</p></li> </ol> <p>Is this enough to properly sanitize input? I've been reading up on this, and many people say to use magic quotes, however I read that magic quotes is old and most recommend against using it.</p> <p>Thank you in advance for any assistance!</p>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. This table or related slice is empty.
    1. USmrinehart93
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POSanitizing text input before submitting to MySQL database
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POSanitizing text input before submitting to MySQL database
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. POSanitizing text input before submitting to MySQL database
      1. USknoight
      1. VTFavorite
    1. CO1. That's nice, but use data correctly *at the use site* (i.e. encode when emitting HTML); 2. Prepared statements eliminate SQL injection but they *do not* eliminate using data incorrectly in other places (e.g. XSS, HTML, exec injection). Magic quotes were a bad idea that tried - and failed - to fix what #2 addresses. Business rule "sanitization" should be done, but for information correctness, and not [necessarily] data injection viewpoint.
      singulars
      1. POSanitizing text input before submitting to MySQL database
      1. This table or related slice is empty.
    2. CO@pst so I should do what everyone else is saying and use htmlspecialchars when outputting the input from the database? Will that interfere with CKEditor replacing HTML tags/symbols with their entities?
      singulars
      1. POSanitizing text input before submitting to MySQL database
      1. USmrinehart93
    3. COYes, *always* encode output! (Except if there is a *really* good reason not to.) I personally *do not* encode input. Otherwise there is a blob of .. junk .. in the database. Store the information for what it *supposed* to be. While it might make sense to convert contents of an "rich text" editor into a normalized format (e.g. markdown/markup/bbcode), I would not recommend storing it "html encoded", as databases don't care about HTML. However, Business Rules might dictate that only `<em>` and `<a>` elements are allowed - now *this* should be enforced as it is *part* of the information.
      singulars
      1. POSanitizing text input before submitting to MySQL database
      1. This table or related slice is empty.
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload