On my server I have magic_quotes turned off.
When a user save content as article in my DB from a form, I use
$text = mysql_real_escape_string($_POST['text']); to prevent SQL Injecion.
This is my input <img src="image.png"></img> and this is what it is saved in the DB <img src="image.png"></img>
When I echo htmlentities($row['text']); i get <img src="image.png"></img> printed on screen, on view source I get <img src="image.png"></img>.
My questions are
- Isn’t supposed to be saved in DB like
<img src=\"image.png\"></img>to prevent SQL Injections ? - Is
htmlentitiesis a good candidate to prevent XSS attacks? - Should I turn on magic_quotes?
No, SQL injections are widely misunderstood, mainly because they actually have nothing to do with SQL as they are just string manipulation. You don’t need to alter the data you insert into the database, you only have to alter the string you send to the database server as query (unless you do the wise choice and use prepared statements instead of escaping the query string). The data, once stored, should be in its original state.
Yes but
htmlentities()is good for sending data as output to the browser, not for storing it into the database (as the data from the DB might be used for something other than a web page).No, you should use prepared statements.