Board index   FAQ   Search  
Register  Login
Board index php forum :: PHP and MySQL Security PHP & MySQL Security

do I need real_escape_string for parametrized queries ?

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: macek, egami, gesf

do I need real_escape_string for parametrized queries ?

Postby mash » Sat Oct 12, 2013 11:21 am

Do I need real_escape_string for parametrized queries ?
... or even more?
Well, I am maintaining a simple cms where i actually take care of user input - such as comments.
The latter is stripped off from any harmful stuff (at least I hope so).
But the administrators and moderators are able to publish articles full of html code so it's a bit tricky to avoid errors that come from copy/paste with hidden $bad_stuff

Even users may publish comments on coding with php code and/or html code.
So I need some advice how to do it properly.

i am an experienced programmer but my roots are not within PHP/mySQL so I tried several stuff to sanitize input, but more or less all the time the content is messed up after several steps of editing.

Actually my code looks like [simplified]:
insert into articles (bodytext,keywords,teaser,title)Values(?,?,?,?)
then bind_param() is used to insert the values

and of course the respective update statements.

So the question is: do I have to do some sanitization of the parameters in question?

And yes, I know about the flaws and issues on having something like "<script >...</script> inside an article. i'll take care about that.
I mean: DO I REALLY need to take care about the input if I trust the moderators?
Please direct me on any articles related to this problem if you know something worth reading.
mash
New php-forum User
New php-forum User
 
Posts: 7
Joined: Sat Jan 14, 2012 1:36 pm

Re: do I need real_escape_string for parametrized queries ?

Postby johnj » Thu Oct 17, 2013 10:09 pm

All input are evil, you should not trust any input.

You cannot EXPECT somebody else to do the sanitation, validation, error checking etc for you. You need to do all these on your side.
johnj
php-forum Super User
php-forum Super User
 
Posts: 1805
Joined: Thu Mar 10, 2011 5:07 pm


Return to PHP & MySQL Security

Who is online

Users browsing this forum: No registered users and 0 guests

Sponsored by Sitebuilder Web hosting and Traduzioni Italiano Rumeno and antispam for cPanel.