mysql prepared statements & html purifier couple concept

Question

Hi

i am at prototype stage with my site. After I asked this question in this site and after extra readings I concluded to use mysql prepared statements.

With my new way of thinking I want to be sure that I understood the things correctly so my 2 questions are:

1. if I use prepared statements during untrusted data insertion into mysql, I need NOT to use mysqli_real_escape_string function. Am I right?

2. if I use prepared statements while fetching & displaying data from mysql db to screen as html, (for security reasons) it will be better to use html purifier class, so I should use html purifier class. Am I right?

   Can you please guide me with my way of thinking? Does my method make sense?
   
   Thanks,BR

Answer 1

Yes, it does.
mysqli_real_escape_string function has nothing to do with whatever protection anyway.
html purifier is a good thing but you can substitute it with lazy htmlspecialchars() function call, if no HTML in user input expected.

The only thing to mention about prepared statements: they cover only basic scalar values and helpless against complex values such as identifiers (table and field names) or arrays.

Answer 2

if I use prepared statements during untrusted data insertion into mysql, I need NOT to use mysqli_real_escape_string function. Am I right?

You got the point. Prepared statement has their own escape procedure.

if I use prepared statements while fetching & displaying data from mysql db to screen as html, (for security reasons) it will be better to use html purifier class, so I should use html purifier class. Am I right?

You are also right. When you print your html you have to be sure it is safe so they are two solution : the radical one : escaping everithing with htmlspecialchars or the softer one that allows safe html tags : using htmlpurifier.

I also want you to introduce you to a rule that will bring you to a secured and more comfortable website : filter in escape out.

prepared statement and htmlpurifier are here to "escape out" that means you will send your datas in a way they are understandable to your output.

The filter in part of the rull makes you study what your users input. A nice example would be date formats. Perhaps you want them to enter a date with the english format Y-m-d. If they don't your website won't work so you have to ask them to enter the date again the right way. There is one method to remember about filtering : filter_var

Answer 3

if I use prepared statements during untrusted data insertion into mysql, I need NOT to use mysqli_real_escape_string function. Am I right?

Correct

if I use prepared statements while fetching & displaying data from mysql db to screen as html, (for security reasons) it will be better to use html purifier class, so I should use html purifier class. Am I right?

Using prepared statements will protect your database from SQL injection. It will do nothing for XSS attacks. You need some kind of defence against those.

Since "protecting the database" and "protecting the HTML" are completely separate problems, the choice of solution for one has no bearing on the choice of solution for the other.

Using a whitelist based filter built around a real HTML parser (I assume HTML purifier is one of those) is a sane choice (if you want to allow some HTML).

Answer 4

1) If you use prepared statements to insert your data, you do not need to escape quotes and other special characters within it. Basically, you are protected against SQL injection. However, you still need to sanitize the data so that it contains no XSS attacks. You are on the right track for this, as you're looking into HTML Purifier. Also, you need to write business logic code to validate your data to make sure that it is indeed what you're expecting (type-checking, range checking, etc.).

2) In theory, you should sanitize the data before you display to the user and HTML purifier can do this task. In practice, however, you will notice that HTML purifier is a pretty heavy library and therefore not well suited to be used every time the data is displayed. A better-performing solution is to run HTML purifier on the data before it is inserted into the database, then display it without extra validation. You are essentially trying to ensure that your database is clean, because if the database is clean then whatever comes from there will definitely be clean as well. This is also a good approach for security in general.

Your validation procedure should be something like:

if( ! isValid( $rawData ) ) {
    return;
}
$purifiedData = htmlPurifier( $rawData );
mysql_prepared_insert( $purifiedData );

Of course, this is only one way to do it. There are many approaches to good security and sanitizing data. Also, it is important that you understand why you would use HTML Purifier. You should use it when you want to allow your users to post some HTML tags, but not all. If you want to block all HTML, then the htmlspecialchars function will do the trick in a much more efficient way. HTML purifier is good when you have a whitelist of tags that you want to allow and block everything else. You can also use it to strip down all tags instead of escaping them, therefore making the text look slightly better than after it goes through htmlspecialchars.