Question
Strings can be escaped in php before inserting them into database. But what happens, if an user of my website enters a php code?
For eg. An user submits the following to a form, which escapes the string and inserts the data into my database.
Hello! <?php echo 'this is evil'; ?>'
Then this php line will be stored in the database. And when I display the content, it will be converted into this :
<div>Hello!<?php echo 'this is evil'?></div>
Isn't this a potential security risk? As the php code can be very malicious?
Does this mean I have to use strip_tags on every user input?
Solution
No It's not risky since php does not interpret the code and actually you don't use eval for this values so it will be shown as a plain text.
Now the thing is you should validate user's inputs. for example if this is an input for firstname, no one's name contains < or ?. so you can use Regexp to validate values.
Or you should print htmlentities of the value instead of raw value.
OTHER TIPS
That PHP code won't run but you have to validate userr form data before submitting it in database
replace all "<" and ">" to < and > respectivly
https://stackoverflow.com/questions/23588727
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian$data = str_replace("<","<",$data);
$data = str_replace(">",">",$data);
this also help if user try to insert some javascript into your code
you have to add anti injection function, such as mysqli_real_escape_string() or htmlspecialchars() or addslashes() to your data that have submited by users
