Preventing code injection without limiting user input? [closed]

Answer 1

You will find a huge amount of hurt if you try to put the escaped text into the database. Instead, store exactly what they typed in, and be sure to wrap it properly when presenting it. See Joel on Software for a reasonable method of approaching this from a coding standpint.

Also, avoid manually calling mysql_escape. You should be using prepare to create a SQL statement with placeholders, such as "INSERT INTO code (texty_part) VALUES (?)", and then running $sth->execute($texty_part) to do the insertion.

Answer 2

Do both 1. Input Sanitize. 2. Out put encoding before displaying

Answer 3

mysql_real_escape_string escapes characters that are special regarding MySQL string literals:

• \, backspace character
• ', single quote character
• ", double quote character
• \0, NUL character
• \n, line break character
• \r, carriage return character
• ^Z, Control-Z, substitute character

However, it handles any data equally regardless of what the input data is actually representing. mysql_real_escape_string does only consider the character encoding in effect.

Regarding your concern: HTML, JavaScript and PHP are all interpreted languages and require an interpreter for interpretation/execution. As for HTML and JavaScript, it’s typically a web browser. And as for PHP, it’s typically the PHP runtime on a web server. But MySQL server can only interpret one language: the SQL dialect also known as MySQL.

This is also the reason why one wouldn’t handle other languages besides MySQL when inserting data into the database. Neither would one escape/encode/sanitize/insert-preferred-verb-here HTML, nor JavaScript, nor PHP, nor any other language besides MySQL.

You would only escape/encode/sanitize/insert-preferred-verb-here any of those languages when you hand the data down to a component that may interpret that specific language.

Answer 4

As I understand it, using something like mysql_escape will escape all special characters, keywords, etc.

You understand it wrong. "mysql_escape" doesn't make "all special characters, keywords, etc." "harmless", as you (after wast masses of PHP users) believe. The purpose of this honest function is totally different.

For HTML, Javascript or PHP, it would only be executed once the column value is selected and used for generating a webpage.

Save for PHP which won't be executed unless you call eval() on it explicitly

I suppose you could html_escape before putting the data into the database, but what if the code snippets were retrieved using something other than a web browser?

html_escape it before sending to browser then?