From the security perspective (and not usability as it's discussed here https://stackoverflow.com/questions/3648430/is-it-a-bad-idea-to-escape-html-before-inserting-into-a-database-instead-of-upon), why is it a bad idea to escape HTML before escaping SQL?
Asked
Active
Viewed 1,127 times
0
-
4I think you may have misread the question and answers. I don't see anything about escaping SQL or SQL injection in there. – Xander May 23 '14 at 15:19
-
Have a look at [my answer to *Preventing code injection without limiting user input?*](http://stackoverflow.com/a/23501225/53114) – Gumbo May 24 '14 at 05:46
-
@Gumbo now thinking... what about the semicolon? Escaping HTML will introduce a semicolon (e.g. $quot;), and could not be this used to exploit the DB? – The Illusive Man May 25 '14 at 09:57
-
@yzT It would only appear within string literals, where it wouldn’t be interpreted as statement separator. – Gumbo May 25 '14 at 10:02
1 Answers
0
With regard to database security, it's irrelevant. SQL doesn't care if the string contains raw HTML or escaped HTML or whatever.
But as explained in the other question, this messes up the data. I would actually consider it a bug.
Fleche
- 4,024
- 1
- 17
- 20