3

I have a textarea which will be available to users as comment box so any sort of inputs are acceptable but that should be accepted only as text and not code. Basically I want to protect my database. I don't want to strip tags or such thing, I just want that if any users even inputs a code that should be stored in database as text and shouldn't be causing any harm to database. So came across these two php functions now I am not sure which one ofthese I should use as I am not able to understand difference in them.

bɪˈɡɪnə
  • 1,087
  • 2
  • 23
  • 46
  • 3
    This is only related to html output. To insert safely in your database, you should use a prepared statement. Then you don't have to clean / encode your data separately. – jeroen Feb 16 '16 at 10:10
  • @jeroen oh thanks already using that, so u mean these functions are mere for browsers ? and if m not using prepared statements, using these functions will not help sanitizing data to be stored in db? – bɪˈɡɪnə Feb 16 '16 at 10:18
  • Exactly, this does nothing for the database. – jeroen Feb 16 '16 at 10:20

2 Answers2

1

According to official PHP docs, htmlspecialchars() and FILTER_SANITIZE_FULL_SPECIAL_CHARS should be equivalent:

Equivalent to calling htmlspecialchars() with ENT_QUOTES set. Encoding quotes can be disabled by setting FILTER_FLAG_NO_ENCODE_QUOTES. Like htmlspecialchars(), this filter is aware of the default_charset and if a sequence of bytes is detected that makes up an invalid character in the current character set then the entire string is rejected resulting in a 0-length string. When using this filter as a default filter, see the warning below about setting the default flags to 0.

Taken from here - https://www.php.net/manual/en/filter.filters.sanitize.php

Going from here, I think it would be a matter of personal preference as to which function you prefer more.

Alexander Kucheryuk
  • 606
  • 1
  • 8
  • 16
0

From this : http://forums.phpfreaks.com/topic/275315-htmlspecialchars-vs-filter-sanitize-special-chars/

They are quite similar yes, but as the PHP manual states htmlspecialchars escapes a bit more than just FILTER_SANITIZE_SPECIAL_CHARS.

That brings us to the next point, SQL injection prevention. As stated htmlspecialchars is for escaping output to a HTML-parser, not a database engine. The DB engine doesn't understand HTML, and doesn't care about it either. What it does understand, is SQL queries. SQL queries and HTML use quite different meta-characters, with only a few in common: Quotes being the most obvious, and even that is somewhat conditional for HTML. However, due to the other meta-characters (which HTML does not share) using HTML escaping methods for SQL queries will not protect you. Those meta-characters will go through htmlspecialchars unscathed, and thus be able to cause SQL injections.

Same the other way around, if you use SQL escaping methods to escape output going to a browser. It will not escape the < and > signs, meaning an attacker can easily perform HTML injection attacks (XSS etc). Not only that, but you'll suddenly have a lot of slashes in places where there shouldn't be any. Which is quite annoying, at best.

This is why it's so important to know, and use, the proper method for the third party system you're sending the data to. If you don't, you are still vulnerable

Mr. Engineer
  • 3,522
  • 4
  • 17
  • 34
  • 5
    Sorry, but the question is about `FILTER_SANITIZE_FULL_SPECIAL_CHARS`, not `FILTER_SANITIZE_SPECIAL_CHARS`. – Socob Feb 14 '17 at 21:03