1

I have a form.

I use htmlspecialchars so when user submits the form,

// $_POST['test']; equals to "> 5"
$test = htmlspecialchars($_POST['test'], ENT_QUOTES);
...
$stmt->bindParam(':test', $test);
...

When I pull it from the database, it is like this:

This does not work:

if($row['test'] == '> 5') {
    echo $row['test']; // "< 5"
}

This works:

if($row['test'] == '&gt; 5') {
    echo $row['test']; // "< 5"
}

How can I make it work with this: if($row['test'] == '< 5') and not &gt; 5? I still want to use htmlspecialchars.

Jason Bale
  • 363
  • 2
  • 7
  • 14
  • 1
    Only use `htmlspecialchars` for outputting, not for the storage. – chris85 Apr 16 '18 at 03:47
  • for one thing you are using less than in one and greater than in the other. – Alan Apr 16 '18 at 04:02
  • Don't use `htmlspecialchars`. You do not know if that will be used an HTML context, as your example here clearly demonstrates it will often not be. – tadman Apr 16 '18 at 04:09
  • @chris85 so what should I use to for XSS protection when inserting it? – Jason Bale Apr 16 '18 at 05:14
  • @tadman so what should I use to for XSS protection when inserting it? – Jason Bale Apr 16 '18 at 05:14
  • @JasonBale XSS doesn't occur in the database. Use it when/if you output to the browser. – chris85 Apr 16 '18 at 05:17
  • @chris85 Oh I see. What should i use for security in general when I inset it into the database? – Jason Bale Apr 16 '18 at 05:26
  • 2
    @JasonBale The prepared statements are correct for SQL. XSS and SQL injections are separate issues and should be handled separately. To prevent the XSS you need to escape characters that will affect the browsers rendering. – chris85 Apr 16 '18 at 05:27
  • @chris85 Thank you so much! you helped me so much! Are there any other security issues/measures i should take besides XSS and SQL injections? – Jason Bale Apr 16 '18 at 05:50
  • [The list of possible threats is *extremely* long](https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series) and it's important to at least be aware of them. This is why I strongly encourage people to use a development framework instead of hand-rolled code: A framework will have well-defined methods and best practices for dealing with them. Frameworks come in many forms from really lean like [Fat-Free Framework](https://fatfreeframework.com/) to exceptionally full-featured like [Laravel](http://laravel.com/) and many spots in between, so there's probably one that fits your use case. – tadman Apr 16 '18 at 18:50

1 Answers1

2

Use htmlspecialchars_decode(), i.e.:

$test = htmlspecialchars_decode($row['test']);
if($test == '< 5') {
    echo $test; // "< 5"
}
Pedro Lobito
  • 94,083
  • 31
  • 258
  • 268
  • The problem is that it was erroneously encoded in the first place and now the database is full of mangled data. This just doubles down and fossilizes the problem. – tadman Apr 16 '18 at 04:09
  • 1
    @tadman My answer *fixes* OP's problem, but I agree with you regarding the *mangled DB*, it should never had happen in 1st place. – Pedro Lobito Apr 16 '18 at 13:14