Confused on htmlspecialchars, real_escape_string, etc

Question

I've written a decent admin interface that includes inventory management, content management, and blogging. Now its time to lock it down and make it secure (Yes, I should have been doing it from the beginning...

For blog creation/editing, I'm using ckeditor which posts HTML output to editblog.php. Also i'm using simple text inputs for Title, Author, etc...

I'm concerned because the blog will have img src="uploads/etc.jpg", as well as divs, spans, etc...

SO! When I sanitize this data, how do I make sure that all those quotes and slashes can be safely shoved into my SQL database, and what do i do to spit it back out on the frontend? I'm also concerned because if the blogger "quotes" something, I don't want that to be messed with either.

Simple input like title, author, etc I'm using $title = mysqli_real_escape_string($title) But is that enough? How do I preserve the user's intended input while avoiding attack?

I've done my research and yet I still don't get it. I hope someone can break it down nice and simple for me...

Answer 1

Nice and simple...

You always sanitize for the context to which you want to write.

These techniques will preserve the user's input, but prevent that input from being interpreted as code within a specific context.

When you want to query the database, you are worried about SQL injection attacks:

• Use mysql_real_escape_string to sanitize SQL for the database query.

When you want to display something (as HTML) that will be parsed by the browser, you are worried about cross site scripting:

• Use htmlspecialchars to sanitize for HTML output.

This will provide a basic level of security.

• For more security on the database side, you should look at prepared statements and PHP PDO .
• For more information about some pitfalls of htmlspecialchars, take a look at @Cheekysoft's excellent explaination: htmlspecialchars and mysql_real_escape_string