I am working on a form with the possiblity for the user to use illegal/special characters in the string that is to be submitted to the database. I want to escape/negate these characters in the string and have been using htmlspecialchars(). However, is there is a better/faster method?
相关问题
- Views base64 encoded blob in HTML with PHP
- Laravel Option Select - Default Issue
- PHP Recursively File Folder Scan Sorted by Modific
- Can php detect if javascript is on or not?
- Using similar_text and strpos together
First of all, you should sanitize things when displaying, not before inserting into the database. SQL injections are another story, but probably off-topic.
Second, if you don't need your users to be able to post HTML at all,
htmlspecialchars
is all you need. It takes care of all the special characters in HTML.You haven't stated what these illegal characters may be but you should definitely be using the database API's supplied mechanism to escape data. For instance, if you're using MySQL, use PDO parameterized SQL statements.
Users can go a lot beyond than that actually.
Use HTML Purifier:
and decide for yourself :)
If you submit this data to the database, please take a look at the escape functions for your database.
That is, for MySQL there is mysql_real_escape_string.
These escape functions take care of any characters that might be malicious, and you will still get your data in the same way you put it in there.
You can also use prepared statements to take care of the data:
Or a little more self explaining:
In case you want to save different types of data, use
bindParam
to define each type, that is, an integer can be defined by:$db->bindParam(':userId', $userId, PDO::PARAM_INT);
. Example:Where
$db
is your PHP data object (PDO). If you're not using one, you might learn more about it at PHP Data Objects.This is not a problem you want to tackle on your own. There are libraries out there to do this for you, such as the HTML Purifier.
There are no "illegal" characters for the database. Database that cannot store some characters is a nonsense. There are some service characters, like quotes, used to delimit strings. These characters should be just escaped, not eliminated.
To send a query to the database, you have 2 options:
Build a query usual way, to make it look exactly as SQL query you can run in sql console.
To do it, one should understand a whole set of rules, not just "use mysql_real_escape_string".
Rules such as:
To send query and data separately.
This is most preferred way as it can be shortened to just "use binding". All strings, numbers and LIMIT parameters can be bound - no worry at all.
Using this method, your query with placeholders being sent to database as is, and bound data being sent in separate packets, so, it cannot interfere. It is just like code and data separation. You send your program (query itself) separated from the data.
But!
Everything said above covers only data part of the query.
But sometimes we have to make our query even more dynamic, adding operators or identifiers.
In this case every dynamic parameter should be hardcoded in our script and chosen from that set.
For example, to do dynamic ordering:
or dynamic search:
In this example we're adding to the query only data entered by user, not field names, which are all hardcoded in the script. For the binding the algorithm would be very similar.
And so on.