how do I protect an sql entry from a “meta” injection?

Question

I have a site which allows the user to save images. I sanitize mysql inserts with 'mysql_real_escape_string', but someone went and entered a meta with a content redirect in his image description, so that whenever our site loads (loading the latest images as well), it redirects.

How can I sanitize my strings or sql queries to protect against that?

Thanks in advance!

Answer 1

For this particular example, you could have avoided it by using htmlentities when outputting the data:

<?php
$str = "A 'quote' is <b>bold</b>";

// Outputs: A 'quote' is &lt;b&gt;bold&lt;/b&gt;
echo htmlentities($str);

// Outputs: A &#039;quote&#039; is &lt;b&gt;bold&lt;/b&gt;
echo htmlentities($str, ENT_QUOTES);
?>

The catch is that it would destroy pretty much any HTML from being used in the stuff you are saving. If you are trying to allow certain tags and disallow others, it quickly gets a lot more complicated.

Answer 2

mysql_real_escape_string is only used to prevent sql injection.

To prevent XSS, you need to use htmlspecialchars or htmlentities to sanitize the html content.

Answer 3

I think you should be using the htmlspecialchars(); everytime before putting anything from the database and before you submit the user input to the database use prepared statements + htmlspecialchars(); [optional]

Answer 4

Here is couple of things you can do

1. Use strip_tags()
2. Use mysqli_* function instead of mysql_
3. Use parameterized queries/prepared statments.
4. If possible consider using PHP Frameworks.
5. Convert special character into their respective htmlentities()