Forums

The forums ran from 2008-2020 and are now closed and viewable here as an archive.

Home Forums Back End How to prepare a string to be inserted in a database and put in a textfield

  • This topic is empty.
Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #146455
    Jochim
    Participant

    I’m working on a forum where users can input there own posts (and later edit them) and I need their input to be properly escaped, sanitysed, validated,… This may not seem like a difficult thing to do but I ran into some serious problems along the way.

    I think I’m finished with the post content escaping, here is how I did it using HTMLPurifier:

        $content = Markdown::defaultTransform($_POST['content']);
    
        $config = HTMLPurifier_Config::createDefault();
        $config->set('Core.Encoding', 'UTF-8');
        $config->set('HTML.Doctype', 'XHTML 1.0 Transitional');
        $config->set('Cache.DefinitionImpl', null);
    
        $config->set('HTML.Allowed', 'a[href|title],blockquote[cite],p,ul,li,strong,em,pre,code,img[src]');
    
        $purifier = new HTMLPurifier($config);
    
        $title = $purifier->purify($title);
        $content = $purifier->purify($content);
    

    The input is markdown so first I convert that into HTML an then I purify the HTML with HTMLPurifier.

    This was the easy part however doing the same for the post title is way harder.. I can get the title input ready to be inserted in the database fairly easy by doing this:

    $title = htmlentities(preg_replace('!\s+!', ' ', trim($_POST['title'])), ENT_QUOTES);
    

    This will deal with single quotes, double quotes, < and >.

    Example: test <"> test <'> will be converted into test <"> test <'>. (with less then, quote, greater then, …)

    Then I insert the newly converted string into the database. Up to this point I think I’m doing everything ok but once my users need to edit the post title I need to get it out of the database and in an input type “text”. This is where I got screwed up..

    When I get the string test <"> test <'> (with less then, quote, greater then, …) from the database and insert it into the value of the input type “text” it appears correctly, but if I want to purify it like the content the double quote and single quote turn back into " and '..

    Is the post title still secured from xss injection when I don’t purify it?

    Or are there better/easyer alternative ways of doing this?

    Note: I am using PDO so escaping input data to prevent sql injection won’t be an issue.

    #146504
    Jochim
    Participant

    Be aware that “using PDO” does not, in and of itself, do anything special in terms of SQL injection. Do you mean to say that you’re using prepared statements?

    Yup I’m using prepared statements, sorry my bad :)

    Since you’re allowing users to come back and edit things, I would suggest saving the original (non-htmlpurifier’d) content in the database alongside the “display-ready” content.

    Yes I’m already saving both in the database but shouldn’t I purify the original too? It’s only echoed inside a <textfield> but what if they just put </textfield> and their ‘evil code’?

    as long as you remember to clean it up before printing it.

    I know htmlentities would prevent this but isn’t it better to run that function once and insert the ‘clean input’ into the database rather than calling it every time it gets requested?

    #146556
    Jochim
    Participant

    @traq could you please if you want to and if you’ve got time take a look at my code? I’m kind of confused is the least you can say…

    #146559
    Jochim
    Participant

    Ok thanks for the support :)

Viewing 4 posts - 1 through 4 (of 4 total)
  • The forum ‘Back End’ is closed to new topics and replies.