I have a site which allows the user to save images. I sanitize mysql inserts with 'mysql_real_escape_string', but someone went and entered a meta with a content redirect in his image description, so that whenever our site loads (loading the latest images as well), it redirects.
How can I sanitize my strings or sql queries to protect against that?
Thanks in advance!
For this particular example, you could have avoided it by using htmlentities when outputting the data:
<?php
$str = "A 'quote' is <b>bold</b>";
// Outputs: A 'quote' is <b>bold</b>
echo htmlentities($str);
// Outputs: A 'quote' is <b>bold</b>
echo htmlentities($str, ENT_QUOTES);
?>
The catch is that it would destroy pretty much any HTML from being used in the stuff you are saving. If you are trying to allow certain tags and disallow others, it quickly gets a lot more complicated.
mysql_real_escape_string
is only used to prevent sql injection.
To prevent XSS, you need to use htmlspecialchars or htmlentities to sanitize the html content.
I think you should be using the htmlspecialchars();
everytime before putting anything from the database and before you submit the user input to the database use prepared statements + htmlspecialchars();
[optional]
Here is couple of things you can do
strip_tags()
mysqli_*
function instead of mysql_
htmlentities()
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.