I know I've already asked a question about sanitizing and escaping, but I have a question which didn't get answered.
Okay, here it goes. If I have a PHP-script and I GET
the users input and SELECT
it from a mySQL database, would it matter/be any security risk, if I didn't escape <
and >
through the use of either htmlspecialchars
, htmlentities
or strip_tags
and therefore allowed for HTML tags to be selected/searched from the database? Because the input is already being sanitized through the use of trim()
, mysql_real_escape_string
and addcslashes
(\%_).
The problem using htmlspecialchars
is that it escapes ampersand (&), which the user input is supposed to allow (I guess the same goes for htmlentities
?). With the use of strip_tags
, something like "John" results in the PHP-script selecting and displaying results for John, which it isn't supposed to do.
Here is my PHP-code for sanitizing the input, before selecting from the database:
if(isset($_GET['query'])) {
if(strlen(trim($_GET['query'])) >= 3) {
$search = mysql_real_escape_string(addcslashes(trim($_GET['search']), '\%_'));
$sql = "SELECT name, age, address WHERE name LIKE '%".$search."%'";
[...]
}
}
And here is my output for displaying "x matched y results.":
echo htmlspecialchars(strip_tags($_GET['search']), ENT_QUOTES, 'UTF-8')." matched y results.";