-3

I am storing forms as well as the form processing scripts, javascript validation scripts and form CSS in the database, am using eval() for PHP code, so my question is do I need to to htmlspecialchars(), htmlentities()?

Anyways am using mysqli_real_escape_string() and nl2br() and ya don't warn me about how to use eval() securely or eval is evil etc etc, that's not the concern here, the thing is if am not using htmlspecialchars or htmlentities the html will go as it has being posted in the database like < will be < and not &lt; so do I need to use those functions or they are not really required in this case?

Random Guy
  • 2,878
  • 5
  • 20
  • 32
  • If you don't use one of them there's big XSS hole. Well, actually there already is a security hole with the name of `eval`. – Leri Jan 15 '13 at 07:41
  • @PLB only the system administrator will be accessing the code so no issue of XSS, read my question, I said don't warn me about the security, user inputs wont be executed, only the system administrators will be doing so – Random Guy Jan 15 '13 at 07:43
  • You obviously do not care about writing robust code, so why do you not try them all out and see what works? If it does not work then you will get an error. Keep trying until it works, and you will have your answer. – Sverri M. Olsen Jan 15 '13 at 07:46
  • I'd warn even if you warned me that you'd shoot if I warned you. ;) But that's not the case. `eval` starts new php process that's also not desirable. And I am unclear now with your needs. If you want to render as html code in browser, you definitely need to use either `htmlspecialchars` or `htmlentities`. If you want to render web-page with proper mark-up from db, you don't need. – Leri Jan 15 '13 at 07:48
  • eval is evil despite of what you think about the matter – Your Common Sense Jan 15 '13 at 07:57
  • You guys really go with standards all the time,s standard says its bad than it's bad, it says good than wow, run behind it, but I don't go that way, that function has real power and am using it anyways thanks everyone – Random Guy Jan 15 '13 at 08:13
  • The function has more power to unintentionally do evil than intentionally do good. You haven't revealed why the admin should enter code that is eval'd - if you did, a better solution for the same might have come up. – Sven Jan 15 '13 at 08:54
  • @Sven I am generalisingg a system for different workgroups having different forms, no better option than `eval()` – Random Guy Jan 15 '13 at 09:27
  • If the admin should enter executable PHP code to be eval'd, why don't you let him enter the code directly and execute it the usual way. That way you'll also get the performance boost of any opcode cache installed. – Sven Jan 15 '13 at 12:44
  • because once the script is ready, kind off say an insert form, it will be accessed by the employees for daily records – Random Guy Jan 15 '13 at 12:47

1 Answers1

0

Generic answer: Use escaping functions when there is a change in context.

When putting a plain text string into SQL: Escape for SQL.

When putting a plain text string into HTML: Escape for HTML.

When putting a plain text string into an URL: Escape for URL.

When doing more than one thing of the above: Do all escaping in the right order, and really try to find out if you haven't missed a context change.

Demo question:

Start 

$param = "foo";
$url = "http://www.example.org/newpage";

End

<a href="javascript:location='http://www.example.org/newpage?param=foo';return false;">Link</a>
Sven
  • 69,403
  • 10
  • 107
  • 109