Welcome! Log In Create A New Profile

Advanced

[PHP] htmlentities

Posted by Stephen 
Stephen
[PHP] htmlentities
December 13, 2016 05:41AM
I am going over old code as I create a new web site.

My libraries have always called the subject on user input before
inserting to a database.

I started this before moving to PDO and prepared statements.

So my question is, do I still need htmlentities, or is it redundant.

--
Stephen

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Aziz Saleh
Re: [PHP] htmlentities
December 13, 2016 05:41AM
Prepared statements have nothing to do with htmlentities (probably since
its an old code it was doing it wrong, should have been using
mysql_real_escape_string).

Prepared statements make it (mostly) safe to store in database (stopping
sql hacks).
htmlentities is for outputting html to the user (stopping html/css/js
injections to the page).

If you are outputting the content to the user (and data is provided by
users) you should make sure it is correctly escaped before displaying.

Similar question on SE:
http://stackoverflow.com/questions/1219159/do-i-need-htmlentities-or-htmlspecialchars-in-prepared-statements

On Thu, Jul 21, 2016 at 9:00 PM, Stephen <[email protected]> wrote:

> I am going over old code as I create a new web site.
>
> My libraries have always called the subject on user input before inserting
> to a database.
>
> I started this before moving to PDO and prepared statements.
>
> So my question is, do I still need htmlentities, or is it redundant.
>
> --
> Stephen
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
Stephen
Re: [PHP] htmlentities
December 13, 2016 05:41AM
On 16-07-21 09:50 PM, Aziz Saleh wrote:
> Prepared statements have nothing to do with htmlentities (probably since
> its an old code it was doing it wrong, should have been using
> mysql_real_escape_string).
>
> Prepared statements make it (mostly) safe to store in database (stopping
> sql hacks).
> htmlentities is for outputting html to the user (stopping html/css/js
> injections to the page).
>
> If you are outputting the content to the user (and data is provided by
> users) you should make sure it is correctly escaped before displaying.
>
> Similar question on SE:
> http://stackoverflow.com/questions/1219159/do-i-need-htmlentities-or-htmlspecialchars-in-prepared-statements

That you!

--
Stephen

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Omega -1911
Re: [PHP] htmlentities
December 13, 2016 05:41AM
On Thu, Jul 21, 2016 at 9:50 PM, Aziz Saleh <[email protected]> wrote:

> Prepared statements have nothing to do with htmlentities (probably since
> its an old code it was doing it wrong, should have been using
> mysql_real_escape_string).
>
>
That is NOT true. To rely on mysql_real_escape_string still leaves an open
window to attack:
http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string

A simple regex (or so) to only allow approved characters would be better
practice.
Ashley Sheridan
Re: [PHP] htmlentities
December 13, 2016 05:41AM
On Thu, 2016-07-21 at 23:04 -0400, Omega -1911 wrote:
> On Thu, Jul 21, 2016 at 9:50 PM, Aziz Saleh <[email protected]> wrote:
>
> > Prepared statements have nothing to do with htmlentities (probably since
> > its an old code it was doing it wrong, should have been using
> > mysql_real_escape_string).
> >
> >
> That is NOT true. To rely on mysql_real_escape_string still leaves an open
> window to attack:
> http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string
>
> A simple regex (or so) to only allow approved characters would be better
> practice.

That would NOT be a better practice, as your regex would need to be
unnecessarily complicated for all the characters you want to allow (and
what about poor old Patrick O'Leary who you just prevented entry to your
form because they have an apostrophe in their name that you forgot to
include?
https://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/)

Use prepared statements with PDO, they will protect you to the level you
want. At this point anything is better than the mysql_* functions you
appear to be using.

htmlentities() is only for presentation to a browser when the content is
HTML. It's very bad practice to use this on content before entering it
into a DB, as that's modifying the content in a way that can't be easily
undone (e.g. if the content already legitimately had encoded HTML in
there.)

Thanks,
Ash

http://www.ashleysheridan.co.uk




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
German Geek
Re: [PHP] htmlentities
December 13, 2016 05:41AM
mysql_real_escape_string is by far better than a simple regex. The post on
stackoverflow is a bit misleading.

Select * from table where id = 1 or true

Would select all, yes. One should always put the value into single quotes.
That way the "attack " from the stackoverflow post isn't possible at all.
Strings in sql can also be used when the value is a non string type like
integer.

The above query would become

select * from table where id = '1 or true'

Now there is no injection possible because ' is illegal.

Select * from table where id = '1'

Will still work as expected.

However, parameterized queries simplify injection prevention and if
possible should be preferred.

Knowing that any value can be forced to be literal with single quotes is
probably the most useful piece of information here.

On Fri, Jul 22, 2016, 09:08 Ashley Sheridan <[email protected]>
wrote:

> On Thu, 2016-07-21 at 23:04 -0400, Omega -1911 wrote:
> > On Thu, Jul 21, 2016 at 9:50 PM, Aziz Saleh <[email protected]> wrote:
> >
> > > Prepared statements have nothing to do with htmlentities (probably
> since
> > > its an old code it was doing it wrong, should have been using
> > > mysql_real_escape_string).
> > >
> > >
> > That is NOT true. To rely on mysql_real_escape_string still leaves an
> open
> > window to attack:
> >
> http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string
> >
> > A simple regex (or so) to only allow approved characters would be better
> > practice.
>
> That would NOT be a better practice, as your regex would need to be
> unnecessarily complicated for all the characters you want to allow (and
> what about poor old Patrick O'Leary who you just prevented entry to your
> form because they have an apostrophe in their name that you forgot to
> include?
>
> https://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/
> )
>
> Use prepared statements with PDO, they will protect you to the level you
> want. At this point anything is better than the mysql_* functions you
> appear to be using.
>
> htmlentities() is only for presentation to a browser when the content is
> HTML. It's very bad practice to use this on content before entering it
> into a DB, as that's modifying the content in a way that can't be easily
> undone (e.g. if the content already legitimately had encoded HTML in
> there.)
>
> Thanks,
> Ash
>
> http://www.ashleysheridan.co.uk
>
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
Ashley Sheridan
Re: [PHP] htmlentities
December 13, 2016 05:41AM
On 22 July 2016 10:53:44 BST, German Geek <[email protected]> wrote:
>mysql_real_escape_string is by far better than a simple regex. The post
>on
>stackoverflow is a bit misleading.
>
>Select * from table where id = 1 or true
>
>Would select all, yes. One should always put the value into single
>quotes.
>That way the "attack " from the stackoverflow post isn't possible at
>all.
>Strings in sql can also be used when the value is a non string type
>like
>integer.
>
>The above query would become
>
>select * from table where id = '1 or true'
>
>Now there is no injection possible because ' is illegal.
>
>Select * from table where id = '1'
>
>Will still work as expected.
>
>However, parameterized queries simplify injection prevention and if
>possible should be preferred.
>
>Knowing that any value can be forced to be literal with single quotes
>is
>probably the most useful piece of information here.
>
>On Fri, Jul 22, 2016, 09:08 Ashley Sheridan <[email protected]>
>wrote:
>
>> On Thu, 2016-07-21 at 23:04 -0400, Omega -1911 wrote:
>> > On Thu, Jul 21, 2016 at 9:50 PM, Aziz Saleh <[email protected]>
>wrote:
>> >
>> > > Prepared statements have nothing to do with htmlentities
>(probably
>> since
>> > > its an old code it was doing it wrong, should have been using
>> > > mysql_real_escape_string).
>> > >
>> > >
>> > That is NOT true. To rely on mysql_real_escape_string still leaves
>an
>> open
>> > window to attack:
>> >
>>
>http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string
>> >
>> > A simple regex (or so) to only allow approved characters would be
>better
>> > practice.
>>
>> That would NOT be a better practice, as your regex would need to be
>> unnecessarily complicated for all the characters you want to allow
>(and
>> what about poor old Patrick O'Leary who you just prevented entry to
>your
>> form because they have an apostrophe in their name that you forgot to
>> include?
>>
>>
>https://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/
>> )
>>
>> Use prepared statements with PDO, they will protect you to the level
>you
>> want. At this point anything is better than the mysql_* functions you
>> appear to be using.
>>
>> htmlentities() is only for presentation to a browser when the content
>is
>> HTML. It's very bad practice to use this on content before entering
>it
>> into a DB, as that's modifying the content in a way that can't be
>easily
>> undone (e.g. if the content already legitimately had encoded HTML in
>> there.)
>>
>> Thanks,
>> Ash
>>
>> http://www.ashleysheridan.co.uk
>>
>>
>>
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>

Neither mysql_* functions or Regex should be used for this sort of thing. If you do, then you're your code is broken.

The mysql_* functions have been deprecated for years. As for the Regex, Jamie Zawinski said it well with:

'Some people, when confronted with a problem, think
"I know, I'll use regular expressions." Now they have two problems'



--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Sorry, only registered users may post in this forum.

Click here to login