So I have been developing a little system in which, at a point, the user can type in some HTML into ckeditor, that HTML is then stored in a database (it's kind of a microCMS).
The problem is When using Mysqli, It inserts escape characters before and after " and ' in order to stop injection, logically, which breaks loads of HTML code.
for example
becomes
or somthing close to that, which breaks the code
Is there a way i can disable the injection prevention, or input it into the database another way ? Or mabi replace the /" when it is being taken from the database ?
Thanks
-jman6495
EDIT :
I have resolved the problem
I replaced the /" by " using the php str_replace function.
here's the code :
$pagecontent = str_replace('\"','"',$pagecontent);
echo $pagecontent;
thanks anyway
-jman6495
If you're seeing these characters when you fetch data back out you're somehow double-escaping the content. Check that you're only escaping it once, and doing it with the placeholder and not mysql_real_escape_string. You haven't fixed the problem. You've un-done the damage of a serious bug.
The purpose of SQL escaping is to insert the data correctly and reliably. For instance, O'Reilly should be O''Reilly for MySQL. The actual content in the database should be O'Reilly regardless of quoting.
Related
I am working on a JavaScript app, in which I am preparing my data replacing tabs with spaces using RegEx in the frontend:
str = str.replace(/\t+/g, " ");
So
'tabbed title'
becomes
'tabbed title' and so on and so forth
This is then passed to an express route which then sends the data to my MySQL database via a stored procedure, utilizing the escape() method from the Javascript MySQL sdk
The issue is, when passing a string where tab characters have been replaced with spaces after the RegEx, the title is being stored in the database as 'tabbedtitle'
When entering 'tabbed title' normally, with spaces entered via my keyboard, the space is preserved. After the RegEx transform, it is not. It seems like SQL is doing something under the hood, or the " " in my RegEx is not a traditional space character (even though in all my of my research it appears it is a regular space)
I've confirmed I am indeed passing 'tabbed title' to the db from express, and there is nothing transforming the data inside my SP. I've even tried entering a utf-8 space \u0020 rather than " " in my RegEx, but the problem perists
Instead of replacing tabs with a space maybe replace them with a hyphen or some other non-whitespace character? Might help narrow it down
How to disable highlighting for SQL code in phpstorm ?
i ever disabled all sql inspection..but color and fonts rules continue to overight
my php string color rules .
Here is an Exemple for what i want to achieve :
$var_php = " all text here is red , SELECT * and whatever sql code is in red too " ;
SQL Language is automatically injected in strings that contain SQL code (which are detected by the typical patterns, e.g. select xx from etc). It also injected in HEREDOC/NOWDOC if you use special label (SQL).
You can disable these (selected on the screenshot below) and any other unwanted injection rules or create your own at Settings/Preferences | Editor | Language Injections.
P.S. Since you do not need any SQL/DB support at all, you may just disable SQL/database support plugins completely.
If you do like such injections in general but just do not want them in a specific place only (e.g. because of the false positive match) then you can force plain text in that string. For example:
$str = /** #lang Text */ 'Select all entries from my cool database';
Please note that such comment must be placed just before the actual string (so it can be used in function call params or alike), not before the whole variable assignment/statement like ordinary PHPDoc comments.
P.S. The same is possible other way around: force SQL in some string that is not autodetected by Language Injection rules (e.g. when string is split into concatenated bits or uses unknown/unexpected sequence/syntax).
You can disable it while leaving other SQL highlighting / inspections alone by creating a new IntelliLang injection which specifically does not match DQL. I used the presence of the : character. This will prevent the IDE from highlighting DQL, and also marking it as error or reformatting it incorrectly.
I've created a Gist with instructions here:
https://gist.github.com/willemnviljoen/d20ad8ad0cc365a7e80744328246610f
Usually PHPstorm does a pretty good job of deciding when SQL string literals should be inspected as SQL code. For individual cases where it gets it wrong, the most "proper" way to disable inspection for a single line is probably the PHPDoc comment mentioned in another answer, like:
$str = /** #lang Text */ 'Select the answer from the list';
But that seems messy to me. Luckily, you can trick PHPstorm pretty easily, as it seems to ignore the string if the first word in a "sentence" is not a SQL keyword (SELECT/UPDATE etc). So a simple (though a bit more hackish) way is to just split the string, like:
$str = 'Select'.' the answer from the list';
I am concerned about inserting text in a MySQl table w.
I have to insert/update text that contains characters such as / " and '
The escape character / could be inserted only if the NO_BACKSLASH_ESCAPES SQL mode is enabled. wich interfere with the characters " and ' see this link http://dev.mysql.com/doc/refman/5.1/en/string-literals.html#character-escape-sequences
If anyone can explain to is in earth the mysql_real_escape_string() I don't came to understated
I would like to find a pure mysql solution
I am not using php. What I am trying to do here is to "simulate " Content Management System: I am about to write a C# coded solution that manage the content in its different forms(article, category ,tag, etc..) and generate .html files, the MySQl database is local in my computer next i will upload the .html files to the server.
I did this to ensure that all my html pages are html valid and because I don't trust any existent solutions (not only when it concerns coding but in life in general)
Please help
each php db connection extension (mysql, mysqli, pdo) has a special way to safe query against sql injections, when you are using mysql extension, it's strongly recommended to use mysql_real_escape_string() function to make safe all variables used in query, it's most widely used function. i think there isn't any pure solution (when you are using mysql extension in php).
from php.net:
mysql_real_escape_string()-Escapes special characters in the
unescaped_string, taking into account the current character set of the
connection so that it is safe to place it in a mysql_query().
Whatever string data can be inserted into SQL query, if formatted according to 2 rules
it is enclosed in quotes (preferably single ones)
it is passed through mysql_real_escape_string()
if both rules followed, there would be not a single problem with whatever characters, either slashes, quotes or anything.
According to your question, / has no special meaning in MySQL. It's \ that is escape character. It can be escaped by another backslash as well.
$str = 'slashes \ quotes \' or whatever " else symbols';
var_dump($str);
$str = mysql_real_escape_string($str);
$sql = "INSERT INTO table SET str='$str'";
I want to make sure rogue users can't damage my site or database by inserting code in my input fields.
What kind of code should I use to test it?
I know there are html tags like iframe but I don't know what to put inside to test it.
Thanks.
HTML
I think using htmlspecialchars(doc) (It's a function in PHP but other language may has similar function) or using other markup system(?)s like phpBB and MediaWiki would be work. Using HTML tags by black/whitelisting tags can work but it's quite dangerous - a cracker would harm your site by XSSing.
For example, you may think that only allowing p, br, img, font, a is OK (BTW, it's not good to use font when one can use CSS), but XSS can be done by input <img src="asdf" onerror="alert('hi')"/> or <a href="javascript:alert('hi')">.
SQL
You should aware of SQLi - injecting SQL commands.
An example of SQLi is :
A way to avoid being SQLi'd in PHP is using mysql_real_escape_string(doc).
You could read about SQL Injections
Insert special characters, especially ', ?, ", $, ;, , and \. If your site doesn't fail on those, you're on the right track.
But the best is to use queries with parameters. You just pass the string as a parameter and the database takes care of escaping the characters for you. You can hardly make a mistake if you do that.
It really depends on the architecture and user interaction with your site.
SQL injection into user entered fields is a typical attack on systems that use databases for user logins etc. Hence restrictions on characters entered into user fields and screening them before use.
"About your son ..."
"Oh Little Billy !drop tables ?"
What is the best function to run my strings through to ensure that MySQL injection is impossible?
Also, will it require running it through another function on the way out to make it display correctly?
See also
Are Parameters really enough to prevent Sql injections?
C# Parameterized Query MySQL with in clause
Can I protect against SQL Injection by escaping single-quote and
surrounding user input with
single-quotes?
Parameterized Queries
A parameter function.
Humor aside, I mean don't dynamically execute user-entered content as SQL if you can at all avoid it. Pass everything as parameters, and reference them from your query instead. See Chad Birch's answer for a good link explaining this.
As Chad says, always use parameterized queries to avoid SQL injection.
To answer the second half of your question, if your output is to a web page then always escape any special HTML characters (&, <, >) to protect against script injection.
Add to parameterized queries the use of input validation within the application. Never trust that the input is clean. Check it. For instance, if it's supposed to be an integer, check to make sure it converts to a numeric value without issue.
In PHP the best way is to use HTML escaping on strings.
It turns special characters into HTML compliant characters.
Example: " " (space) transforms into "%20".