PHP: How To Integrate HTML Purifier To Fileter User Submitted Data?

Question

I have this script that collects data from users and I wanted to check their data for malicious code like XSS and SQL injections by using HTML Purifier http://htmlpurifier.org/ but how do I add it to my php form submission script?

Here is my HTML purifier code

 require_once '../../htmlpurifier/library/HTMLPurifier.auto.php';

 $config = HTMLPurifier_Config::createDefault();
 $config->set('Core.Encoding', 'UTF-8'); // replace with your encoding
 $config->set('HTML.Doctype', 'XHTML 1.0 Strict'); // replace with your doctype
 $purifier = new HTMLPurifier($config); 

 $clean_html = $purifier->purify($dirty_html);

Here is my PHP form submission code.

if (isset($_POST['submitted'])) { // Handle the form.

    $mysqli = mysqli_connect("localhost", "root", "", "sitename");
    $dbc = mysqli_query($mysqli,"SELECT users.*, profile.*
                                 FROM users 
                                 INNER JOIN contact_info ON contact_info.user_id = users.user_id 
                                 WHERE users.user_id=3");

    $about_me = mysqli_real_escape_string($mysqli, $_POST['about_me']);
    $interests = mysqli_real_escape_string($mysqli, $_POST['interests']);



if (mysqli_num_rows($dbc) == 0) {
        $mysqli = mysqli_connect("localhost", "root", "", "sitename");
        $dbc = mysqli_query($mysqli,"INSERT INTO profile (user_id, about_me, interests) 
                                     VALUES ('$user_id', '$about_me', '$interests')");
}



if ($dbc == TRUE) {
        $dbc = mysqli_query($mysqli,"UPDATE profile 
                                     SET about_me = '$about_me', interests = '$interests' 
                                     WHERE user_id = '$user_id'");

        echo '<p class="changes-saved">Your changes have been saved!</p>';
}


if (!$dbc) {
        // There was an error...do something about it here...
        print mysqli_error($mysqli);
        return;
}

}

Answer 1

if ($dbc == TRUE) {
        //add the stuff you want to clean here.
        $about_me = $purifier->purify($about_me);
        $interests = $purifier->purify($interests);

        $dbc = mysqli_query($mysqli,"UPDATE profile 
                                     SET about_me = '".mysql_real_escape_string ($about_me)."', interests = '".mysql_real_escape_string ($interests)."' 
                                     WHERE user_id = '$user_id'");

        echo '<p class="changes-saved">Your changes have been saved!</p>';
}

You should also think about escaping the data before entering it in the DB using mysql_real_escape_string()

You can also combine mysql_real_escape_string($purifier->purifiy($interests)), but I didn't consolidate to make it more readable.

Answer 2

I wanted to check their data for malicious code like XSS and SQL injections by using HTML Purifier

That's not what HTML Purifier is meant for.

HTML Purifier is for when you need to allow the user to submit actual [X]HTML for inclusion in a page, but you don't want them to have full access to all the potentially-dangerous features of HTML.

It is not a substitute for proper use of htmlspecialchars when outputting a string of text into an HTML page. In the vast majority of cases where you want use input to be text strings and not HTML markup, you want to escape those < and & signs to < and &, not treat them as markup and mangle them in an attempt to make that markup ‘clean’.

It also does nothing at all against SQL injection. You must continue to use mysqli_real_escape_string, or go to parameterised queries.