0

I'm using a rich text editor (Nicedit) with a cms project I'm making. In order to reduce the likelihood of SQL injections, I'm using the mysqli_real_escape_string function to escape the user input before putting it into the database.

However, I observed that all the single quotes will get an additional backslash attached to it when I echo it onto a page. For example, if the user input is "Let's have a meeting", it will become "Let\'s have a meeting".

I understand that the whole idea of escaping a string is to add a backslash to potentially problematic input. I'm just wondering if it's safe to remove the backslash in a string when echoing it back to the page?

$escaped_string = mysqli_real_escape_string($connection, $_POST['string']);

echo str_replace("\\", "", $escaped_string);

Thank you! This project is just part of my learning PHP and won't be used anywhere, so please don't get worked up!

Panpaper
  • 101
  • 1
  • You should be using something like PDO to filter and sanitize your input, what you are doing is prone to bugs that could lead to injection. Theres a bunch of topics related to this on StackOverflow, also docs @ https://www.php.net/manual/en/book.pdo.php – David Houde Apr 18 '19 at 11:41

3 Answers3

2

You should never use anything "to reduce the likelihood of SQL injections" in the first place. It just doesn't work this way. You are not adding some code just in case, sort of a rabbit foot. SQL injections simply must be prevented, using certain tools. It is so easy to achieve that it just should go without saying. Just never add any variable to your SQL queries - that's all. Here is how. It doesn't only prevent injections but also relieves you from that escaping mess.

That said, no extra slashes should appear in the output unless there is an error in your code. Escaping is used for the query only, it is not stored in the database. So instead of removing extra slashes you must not add them in the first place.

Your Common Sense
  • 726
  • 3
  • 13
2

No, it's not safe, because what you are doing is wrong. In your code you are echoing a variable that has only been sanitized using mysqli_real_escape_string (https://www.php.net/manual/en/function.mysql-real-escape-string.php). All that function does is prepend backslashes to some characters, like the single quote, the new line character, etc. This function was only meant to sanitize a string before using it in an SQL statement. By the way, today it is considered bad practice to use such a function, and the recommended way to make queries to the database is to use prepared statements. It's a totally different way to make queries, and you will need to use another set of PHP functions and objects.

To echo something on an HTML web page you can't use mysqli_real_escape_string for sanitization, because the set of dangerous characters is different. In HTML, you need to escape the < and > characters, for example. Other characters might have to be escaped depending on where you are echoing them, for example the single or double quote. Also, the escaping method is different from the one used for SQL: a single quote in HTML won't be prepended with a backslash when escaped, but will need to be replaced with an HTML entity, becoming &apos;. A PHP function you might use for this is htmlspecialchars (https://www.php.net/manual/en/function.htmlspecialchars.php).

reed
  • 15,398
  • 6
  • 43
  • 64
  • What if I need to retain some html tags? I'm getting input from a rich text editor, so things like , , , ,
      etc need to be preserved. Is strip_tags a good way to do it?
     – Panpaper Apr 18 '19 at 18:43
  • @Panpaper, the PHP docs say that `strip_tags` does not remove HTML attributes, meaning that malicious javascript code can be injected anyway (XSS). If you need to allow some HTML I wouldn't trust that function, or any function that isn't actually based on a **strict** whitelist. That is, you should write a function that only allows specific strings like `, , , `, and nothing else. Img tags are trickier, because you'll need to be very careful with the SRC attribute. – reed Apr 18 '19 at 22:50
0

There is two issues here:

  1. SQL Injection - To combat this, you should not be using a string escape function, you should be parameterising the input.
  2. Persistent XSS - (You have not mentioned this, but I suspect this is because you might be unaware of the implications, (as you said you are just learning), you should google this). This occurs when you echo the data back to the end user, to combat this you should use an output encoding function.
schroeder
  • 123,438
  • 55
  • 284
  • 319
meowcat
  • 1,349
  • 1
  • 6
  • 16
  • Thank you, would you care to elaborate? I'd appreciate a link or some keywords I can use to search these up. I'm new to this, so those super long, comprehensive guides are quite unreadable for me at the moment. – Panpaper Mar 19 '19 at 04:44
  • A really good place to start is the 'OWASP' site. https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) It has the top 10 web vulnerabilities on it, and explains them quite succinctly. It also has code examples. – meowcat Mar 19 '19 at 04:49
  • Thanks again, what about "parameterising the input"? What does that mean, and do you have any resources for that? – Panpaper Mar 19 '19 at 05:01
  • Here is a cheat sheet that covers PHP https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Query_Parameterization_Cheat_Sheet.md – meowcat Mar 19 '19 at 05:05