Home/ Questions/Q 7179563
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T17:09:55+00:00

This question gets asked a lot, but I still haven’t found a straight answer

  • 0

This question gets asked a lot, but I still haven’t found a straight answer on stackoverflow. Are these two functions sufficient or not? There are a lot of contradictory comments around the internet “yes its fine?, “no, never use it”. Others say, use PDO, which I don’t understand. I’m just a beginner to PHP, so I don’t fully understand all of the ins and outs of security.
I’ve tried reading and understanding the following, but many don’t make much sense to me.

http://ha.ckers.org/xss.html
Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?

What if I use preg_replace to strip unwanted characters?

I’m incredibly confused and don’t know where to start.

EDIT: Could someone please also recommend how I go about understanding prepared statements (assuming this is the best option).

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Sam, if you are storing the input in a database, to avoid SQL injection and XSS then those two functions are enough. If you are storing passwords, you must encrypt the passwords with one-way encryption (that is they can not be decrypted).

    Let me expand my answer:
    First of all, SQL Injection is a method where a malicious user will attempt to modify your SQL statement to make it do their will. For example, let’s say you have a login form. By inserting one of the following values into an un-protected form, I will be able to log into the first account without knowing the username or password:

    ' or 1=1 --

    There are many versions of the above injection. Let’s examine what it does to the SQL executed on the database:

    The PHP:
    mysql_query(“SELECT * FROM users WHERE username='” . $username.”‘ AND password='” . $password . “‘;”);

    When the above is executed, the following SQL is sent to the database:

    SELECT * FROM users WHERE username='' or 1=1-- ' AND password='' or 1=1--';

    The effective part of this SQL is this:
    SELECT * FROM users WHERE username=” or 1=1

    as the double dash (with the space afterwards) is a comment, removing the rest of the statement.

    Now that gives the malicious user access. With use of an escaping function such as mysql_real_escape_string, you can escape the content so the following is sent to the database:

    SELECT * FROM users WHERE username='\' or 1=1-- ' AND password='\' or 1=1--';

    That now escapes the quotes, making the intended strings, just that – strings.

    Now let’s view some XSS.
    Another malicious user would like to change the layout of a page. A well known XSS attack was the Facespace attack on Facebook back in 2005. This involves inserting raw HTML into forms. The database will save the raw HTML and then it will be displayed to users. A malicious user could insert some javascript with use of the script tag, which could do anything javascript can do!

    This is escaped by converting < and > to <l; and > respectively. You use the html_special_chars function for this.

    This should be enough to secure normal content on a site. However passwords are a different story.

    For passwords, you must also encrypt the password. It is advisable to use PHP’s crypt function for this.

    However, once the password is encrypted and saved in the database as an encypted password, how can you decrypt it to check that it is correct? Easy answer – you don’t decrypt it. HINT: A password always encrypts to the same value.

    Were you thinking ‘We can encrypt the password when the user logs in and check it against the one in the database’, you are correct…

    • 0