views:

924

answers:

3

A user will input text in a textarea. It is then inserted directly into a mySQL database. I use trim, htmlentities, mysql_real_escape_string on it and I have magic quotes enabled. How should I sanitize it when outputting that data back into a textarea?

Thanks for your help. I've never been too sure on the correct way of doing this...

+9  A: 

You shouldn't use htmlentities when saving it. You should use htmlentities when displaying it. The rule of thumb is not to encode/sanitize the data until you need to. If you do htmlentities on it when you save then you have to do html_entity_decode on the text when the user wants to edit the input. So you sanitize for what you need and nothing more. When saving it, you need to sanitize for SQL injection, so you mysql_real_escape_string it. When displaying, you need to sanitize for XSS, so you htmlentities it.

Also, I am not sure if you saw Darryl Hein's comment, but you really do not want magic_quotes enabled. They are a bad, bad, thing and have been deprecated as of PHP 5.3 and will be gone altogether in PHP 6.

Paolo Bergantino
Should that be the only precaution I take?
Joel Verhagen
If you're okay with not allowing HTML in whatever the string is, that is all. If you want HTML to be allowed then you go down a very dangerous road of white lists and whatnot.
Paolo Bergantino
Just a side note, does this hold true when BBCode parsing too?
Joel Verhagen
Well, for that I would make an exception. Since message boards sometimes can be very busy, having to translate BBCode on every page view would be pretty expensive. At that point it would be better to have an encoded_field and a raw_field, the former to display and the latter to show when editing.
Paolo Bergantino
+2  A: 

In addition to Paolo's answer about when to use htmlentities(), unless you're using an old version of PHP, the correct way to sanitize for insertion into a mysql DB is to use Prepared Statements which are part of the mysqli extension. This replaces any need to use mysql_real_escape_string().

Other than that, I think you've got things covered.

Chad Birch
note that using prepared statements is not enough, you have to use bound parameters. IOW: use '?' in the SQL string, and send the data with stmt->bind_param()
Javier
A: 

There are two main reasons to encode data : Security and 'displayability'. Security shouldn't be ignored as an important factor.

For ASP.NET there is some useful information on Phil Haacked's blog : Take Charge of Your Security.

Many of the ASP.NET controls don't encode automatically when some assume they do and this article helps clear up any ambiguities.

This article applies to both ASP.NET and ASP.NET MVC. There are also some useful articles that he links to.

Simon_Weaver
relevance? the question says "how" not "should I" and he is specifically talking about php, not ASP
ftrotter