PHP - Htmlspecialchars Versus Mysql_real_escape_string

which one is necessary while protecting form field

Edited July 28, 2019 by mahenda

What do most people prefer to use? htmlspecialchars or htmlentities

Hello Guys ... i am new here and i am also new in php

i selfstudy html css and js and bootstrap for front-end

and for back-back php & mysql & PDO  & OOP and  i will soon start mvc then laravel

and i am trying to secure my input field  and i do not want any attacks or sql injects

and i see people user filter_var and htmlentities and htmlspecialchars  and each one has diffrent opinion

can some one help me and tell me what is the best for securing input which all values will store in database

thanks <3

Does anyone have an example of when htmlentities() would be used over htmlspecialchars()?

Not sure how to debug this. I have the following error that is ONLY happening when our site has a PCI scan running : -

ERRNO: 2
TEXT: htmlspecialchars() expects parameter 1 to be string, array given
LOCATION: /home/bttorj45/public_html/smarty_templates_c/dbbe565f1731d4158472b66b75c85442498e81b9_0.file.top_menu_bar.tpl.php, line 42, at April 11, 2020, 5:05 pm
Showing backtrace:
htmlspecialchars(Array[1], "3", "UTF-8", true) # line 42, file: /home/siteaddress/public_html/smarty_templates_c/dbbe565f1731d4158472b66b75c85442498e81b9_0.file.top_menu_bar.tpl.php
content_5e83087341d089_14126332(Object:Smarty_Internal_Template) # line 123, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_template_resource_base.php
Smarty_Template_Resource_Base.getRenderedTemplateCode(Object:Smarty_Internal_Template) # line 114, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_template_compiled.php
Smarty_Template_Compiled.render(Object:Smarty_Internal_Template) # line 216, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_internal_template.php
Smarty_Internal_Template.render() # line 385, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_internal_template.php
Smarty_Internal_Template._subTemplateRender("file:page_elements/top_menu_bar.tpl", null, null, "0", "120", Array[0], "0", false) # line 56, file: /home/siteaddress/public_html/smarty_templates_c/0e4c1495f7a25cef1d85553f951690964f702a5a_0.file.error404.tpl.php
content_5e4ffba4a49c66_36622821(Object:Smarty_Internal_Template) # line 123, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_template_resource_base.php
Smarty_Template_Resource_Base.getRenderedTemplateCode(Object:Smarty_Internal_Template) # line 114, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_template_compiled.php
Smarty_Template_Compiled.render(Object:Smarty_Internal_Template) # line 216, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_internal_template.php
Smarty_Internal_Template.render(false, "1") # line 232, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_internal_templatebase.php
Smarty_Internal_TemplateBase._execute(Object:Smarty_Internal_Template, null, null, null, "1") # line 134, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_internal_templatebase.php
Smarty_Internal_TemplateBase.display("pages/error404.tpl") # line 65, file: /home/siteaddress/public_html/errors/404.php
include("/home/siteaddress/public_html/errors/404.php") # line 34, file: /home/siteaddress/public_html/smarty_plugins/function.load_product.php
Product.init("api") # line 5, file: /home/siteaddress/public_html/smarty_plugins/function.load_product.php
smarty_function_load_product(Array[2], Object:Smarty_Internal_Template) # line 39, file: /home/siteaddress/public_html/smarty_templates_c/53725e8a2fc4b6c7c0c42e801dab2741a0994a8e_0.file.product.tpl.php
content_5e579e9761f086_59385269(Object:Smarty_Internal_Template) # line 123, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_template_resource_base.php
Smarty_Template_Resource_Base.getRenderedTemplateCode(Object:Smarty_Internal_Template) # line 114, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_template_compiled.php
Smarty_Template_Compiled.render(Object:Smarty_Internal_Template) # line 216, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_internal_template.php
Smarty_Internal_Template.render(false, "1") # line 232, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_internal_templatebase.php
Smarty_Internal_TemplateBase._execute(Object:Smarty_Internal_Template, null, null, null, "1") # line 134, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_internal_templatebase.php
Smarty_Internal_TemplateBase.display("pages/product.tpl") # line 85, file: /home/siteaddress/public_html/dirs.php

I ***think*** the scan must be inputting something in the search box to cause this (I'm awaiting info from Security Metrics with regard to this).

{load_chat assign="chat"}

{if $chat->mChat}
<script type="text/javascript" id="763333b0f312f025d780a8f4451bf6f3" src="https://www.siteaddress.com/online-support/script.php?id=763333b0f312f025d780a8f4451bf6f3"></script>
{/if}
{if !$chat->mChat && $settings->mSettings[13]}
<script type="text/javascript" id="aaa07817d7cd2a7dce9e0ffac6286dbb" src="https://www.siteaddress.com/online-support/script.php?id=aaa07817d7cd2a7dce9e0ffac6286dbb"></script>
{/if}

<div id="menu_switch"><i class="fa fa-bars fa toggler"></i></div>
<form id="product_search" method="get" action="{$smarty.const.SITE_ROOT}/searchresults/">
    <input type="text" name="search" placeholder="&#xf002; Product Search" style="font-family: FontAwesome, Arial; font-style: normal; font-size:18px;" {if isset($smarty.request.search) && $settings->mSettings[107]}value="{$smarty.request.search|escape:'htmlall'}"{/if} /><button type="submit" class="button"><i class="fa fa-search" aria-hidden="true"></i> <i class="fa fa-caret-right" aria-hidden="true"></i></button>
</form>
<form id="code_search" method="post" action="{$smarty.const.SITE_ROOT}/cart/quickadd.php">
    <input type="text" name="code" maxlength="14" placeholder="&#xf061; Product Code" style="font-family: FontAwesome, Arial; font-style: normal; font-size:18px;" /><button type="submit" name="submit" class="orange"><i class="fa fa-shopping-cart" aria-hidden="true"></i> Quick Add <i class="fa fa-caret-right" aria-hidden="true"></i></button>
</form>
{if !isset($hidecart) && isset($cartsmall) && $cartsmall->mCart.sub > 0}
    <p id="view_cart"><a class="button orange" href="{$smarty.const.SITE_ROOT}/cart/"><span class="hidden-xs hidden-sm"><i class="fa fa-shopping-cart" aria-hidden="true"></i> View Cart &nbsp;</span>&pound;{$cartsmall->mCart.sub} <i class="fa fa-caret-right" aria-hidden="true"></i></a></p>
{/if}
<script>
$('.toggler').click(function() {
$(this).toggleClass("fa-bars fa-times");
});
</script>

 

function.load_search.php :-

 

<?php
      
   function smarty_function_load_search($params, $smarty) {
      $search = new Search();
      $search->init();
      $smarty->assign($params['assign'], $search);
   }
   
   class Search {
      
      // public fields
      public $mSearchString;
        public $mSearchArray;
        public $mProducts;
        public $mProductCount;
      
      // private fields
        private $mDoSettings;
      private $mDoCatalogue;
      
      function __construct() {
            require_once FILE_ROOT . '/data_objects/do_settings.php';
            $this->mDoSettings = new DoSettings();
         require_once FILE_ROOT . '/data_objects/do_catalogue.php';
         $this->mDoCatalogue = new DoCatalogue();
           
            if (isset($_REQUEST['search']) && strlen(trim($_REQUEST['search']))>0 ) {
                $this->mSearchString = trim(stripslashes($_REQUEST['search']));
                $this->mSearchArray = explode(" ", $this->mSearchString);
            
            } else {
                header ("Location: /emptysearch/");
            die ();
            }
      }
      
      public function init() {
            $this->mProducts = $this->mDoCatalogue->SearchProducts($this->mSearchArray);
            $this->mProductCount = count($this->mProducts);
            for ($i = 0; $i < count($this->mProducts); $i++) {
                $this->mProducts[$i]['price_inc'] = number_format($this->mProducts[$i]['price'] * (($this->mDoSettings->GetSetting(1) / 100) + 1), 2, ".", ",");
            }
      }
      
   }
   
?>

 

do_catalogue.php :-

 

public function SearchProducts($search) {
         $fields = array("code", "title", "keywords");
            $query_string = "SELECT p.code, p.title, p.cattext, p.price, p.img, p.url, p.available, p.due, p.special, p.newproduct, p.discontinued, c.name, c.menulinktext FROM " . $this->mProductTable . " p " .
                "JOIN categories c ON p.category = c.id " .
                "WHERE ((";
            for ($f = 0; $f < count($fields); $f++) {
                if ($f != 0) { $query_string .= ") OR ("; }
                for ($s = 0; $s < count($search); $s++) {
                    if ($s != 0) { $query_string .= " AND "; }
                    $query_string .= "p." . $fields[$f] . " LIKE '%" . $this->mDoQuery->dbManager->DbEscape($search[$s]) . "%'";
                }
            }
         $query_string .= ")) AND active=1 AND live=1 " .
                "ORDER BY p.rating ASC";
            return $this->mDoQuery->dbManager->DbGetAll($query_string);
        }

 

Any idea's how to fix it? I can't replicate it with a specific issue as I don't know what the scan is doing to cause this! Thanks

Hello dears,

I've tried to use
htmlspecialchars
or
htmlentities

but both no longer work !

Example1 :

Code: [Select]
<?php
$new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo $new;
?>
Output should &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt;

Code: [Select]
<?php
$str = "A 'quote' is <b>bold</b>";
echo htmlentities($str);
?>
Output should A 'quote' is &lt;b&gt;bold&lt;/b&gt;

But it isn't working ? what is wrong ?

htmlspecialchars($str, ENT_QUOTES, 'UTF-8');

Using this code with UTF-8. I need someone to help craft up some smalll xss injections with this.

I heard htmlspecialchars doesn't stop all xss attacks, so I'm wondering what's the most xss attack you can craft to load a simple cookie loader. (Basically, just simple javascript injection is all I'm trying to find, because people can use cookie loaders with it, and yeah, that's not good).

Looking for your code to be posted, and once it is.. I'll copy it and submit it through the code I posted above and see if there is any vulnerabilities. (On my localhost server)
Thanks!

$str = user input.

Oh, and here is the BBCODE regex that the code passes through before this function is returned on the text.
 

$text = preg_replace( "#\[b\](.+?)\[/b\]#is", "<span class='b'>\\1</span>", $text );
			$text = preg_replace( "#\[i\](.+?)\[/i\]#is", "<i>\\1</i>", $text );
			$text = preg_replace( "#\[u\](.+?)\[/u\]#is", "<u>\\1</u>", $text );
			$text = preg_replace( "#\[s\](.+?)\[/s\]#is", "<s>\\1</s>", $text );
			
			//Spoiler
			
			$text = preg_replace( "#\[right\](.+?)\[/right\]#is", "<div style='text-align:right'>$1</div>", $text );
			
			//Beautiful Colors
			$text = preg_replace( "%\[colou?r=([a-zA-Z]{3,20}|\#[0-9a-fA-F]{6}|\#[0-9a-fA-F]{3})](.+?)\[/colou?r\]%msi", '<span style="color: \\1">\\2</span>', $text );
			$text = preg_replace( "%\[colou?r=(rgb\(\d{1,3}, ?\d{1,3}, ?\d{1,3}\))](.+?)\[/colou?r\]%msi", '<span style="color: \\1">\\2</span>', $text );

If anyone can craft up an XSS for this, I'd appreciate it. Because I need this to be secure.
Edited by Monkuar, 10 January 2015 - 06:33 PM.

htmlspecialchars($str, ENT_QUOTES, 'UTF-8');

Using this code with UTF-8. I need someone to help craft up some smalll xss injections with this.

I heard htmlspecialchars doesn't stop all xss attacks, so I'm wondering what's the most xss attack you can craft to load a simple cookie loader. (Basically, just simple javascript injection is all I'm trying to find, because people can use cookie loaders with it, and yeah, that's not good).

Looking for your code to be posted, and once it is.. I'll copy it and submit it through the code I posted above and see if there is any vulnerabilities. (On my localhost server)
Thanks!

$str = user input.

Oh, and here is the BBCODE regex that the code passes through before this function is returned on the text.
 

$text = preg_replace( "#\[b\](.+?)\[/b\]#is", "<span class='b'>\\1</span>", $text );
			$text = preg_replace( "#\[i\](.+?)\[/i\]#is", "<i>\\1</i>", $text );
			$text = preg_replace( "#\[u\](.+?)\[/u\]#is", "<u>\\1</u>", $text );
			$text = preg_replace( "#\[s\](.+?)\[/s\]#is", "<s>\\1</s>", $text );
			
			//Spoiler
			
			$text = preg_replace( "#\[right\](.+?)\[/right\]#is", "<div style='text-align:right'>$1</div>", $text );
			
			//Beautiful Colors
			$text = preg_replace( "%\[colou?r=([a-zA-Z]{3,20}|\#[0-9a-fA-F]{6}|\#[0-9a-fA-F]{3})](.+?)\[/colou?r\]%msi", '<span style="color: \\1">\\2</span>', $text );
			$text = preg_replace( "%\[colou?r=(rgb\(\d{1,3}, ?\d{1,3}, ?\d{1,3}\))](.+?)\[/colou?r\]%msi", '<span style="color: \\1">\\2</span>', $text );

If anyone can craft up an XSS for this, I'd appreciate it. Because I need this to be secure.
Edited by Monkuar, 10 January 2015 - 06:33 PM.

I understand that I can place my HTML code outisde of my PHP tags and have it publish, OR i can put it inside the PHP tags and ECHO every line.

Am I correct in thinking that either will provide the same result?

Is there an advantage to one method over the other??

Hello, I'm learning PHP, so a completely noob, right now. First to the question itself, I want to know how to retrieve the data(variables & it's values) from the url, which was made or generated(or whatever right word is) by using http_build_query() in php. I created a querystring($string) with certain variables & dynamic values that I'm passing to a url

Is there anything different between a response and a responder?  My thought is maybe a response is something that one application gives to another, and a responder is used only by a single application to create a response.

interface TrendInterface
{
    public function getResponse($blabla):TrendResponse;
    public function getResponder($blabla):TrendResponder;
}

 

I initially set up a few VAR items to learn some JS coding.   Then it became apparent that altering the group and entering them into an array would be more effective.   However, my limited knowledge is confusing the situation.   Is there a simple comparison (with proper code and formatting) that someone can provide?   Example:  student in the school info desired: name, age, hair color, eye color   As separate VAR listings I cannot sort by age, so I create an array, but how can I name them student 1, 2, 3 etc.  (or do I not want to??).

Hy i read the topic about the md5 insecurity and the collision possibility....

And now i have a following question. Is it not MUCH more secure to store the actual password in the DB then the md5 value of it??

Because you with it eliminate the collision possibility of the md5 completely.

And I am aware of the possibility that someone could break into my DB but if I am dumb enough to let someone access my db, but that is not an issue.
I can always use a 2way encryption to store the data.

I launched my new website about a month ago.  I switched from one web host to another due to poor hosting performance.  Now I'm running into the same issue again -- poor web hosting performance.   My first web host was Hostgator.  My current web host is AT&T.  I hate the thought of switching to a different web host every month trying to find one that will reliably host my site.  Does anyone here have a reliable web host that they use and would recommend?   My question is relative since what is reliable for a simple web site, may not be reliable for one that is more complex.  For this reason, I can't simply trust web host reviews.   My website isn't overly complicated, but it's more complex than just basic HTML.  It uses a lot of PHP, as well as a MySQL database that only has two small tables.  The website uploads and downloads small text files regularly.  It also sends E-mail attatchments quite often.   Because I just launched, my website isn't getting a ton of traffic -- about 10 users per day.  However, I'm beginning to run into the same problem as before.  My web host's server is starting to show itself as being unreliable.  As with my first web host, it seems as if it may be due to overcrowding on the shared server.   Do any of you run any moderately complex websites?  If so, who do you use for a reliable web host?   I've considered setting up my own server with a LAMP configuration and hosting the site myself.  However, I don't know a lot about Linux or Apache, and so would like to avoid this.  But because the computer would only be hosting my own website, and no one else's, I have to believe that a LAMP setup would be more reliable than a shared server that is overcrowded.   A reliable web host is really what I'm looking for.  But I don't want to keep going down the road of trial and error.  If anyone uses a web host that reliably supports their moderately-complex website, then I would love to hear from you.  I'm sick of my site failing due to server issues.  Like the Duracel commercial says, "It just has to work!"   Please forgive me if you feel that my post doesn't correctly fit the forum category.  I tried to figure out which category best fits this topic, but none of them seemed to be perfectly suitable.   Thank you for your time, as well as for any suggestions.