PHP - Non-destructive Input Sanitization

Question

I have a TextArea on my website which I write the input into my database.

I want to filter this TextArea input, but without removing any HTML tags or other stuff.

In short, I want to sanetize and securize the input before I write it into my database, but I want the entry to be intact and unmodified when I take back the entry from the database and write it on the website.

How can I achieve this?

Answer 1

If you want to preserve the data character for character when it's written back to the website try:

$stringToSave = mysql_real_escape_string($inputString);

Then when retrieving it from the database:

$stringToPutOnPage = htmlentities($databaseString);

If you want the html to actually be read as html (be careful about XSS) you can just use:

$stringToSave = mysql_real_escape_string($inputString);

Edit: It would seem that best practice is to sanitize the string for html after retrieving it from the database and not before. Thanks for the comments, I will have to change my method.

Answer 2

If you mean you simply want to make it safe to store in your database all you need to do is use the database specific escaping method, for example mysql_real_escape_string. Of course, that doesn't secure you from XSS attacks, but if you want to retrieve and display it unmodified you don't have a choice.

Answer 3

It's really simple:

• To avoid SQL injection, mysql_real_escape_string your values before concatenating them into an SQL query, or use parameterized queries that don't suffer from malformed strings in the first place.
• To avoid XSS problems and/or messed up HTML, HTML escape your values before plugging them into an HTML context.
• JSON escape them in a JSON context, CSV escape them in a CSV context, etc pp.

All are the same problem, really. As a very simple example, to produce the string "test" (I want the quotes to be part of the string), I can't write the string literal $foo = ""test"". I have to escape the quotes within the quotes to make clear which quotes are supposed to end the string and which are part of the string: $foo = "\"test\"".

SQL injection, XSS problems and messed up HTML are all just a variation on this.
To plug a value that contains quotes into a query, you have the same problem as above:

$comment = "\"foo\"";  // comment is "foo", including quotes
$query = 'INSERT INTO `db` (`comment`) VALUES ("' . $comment . '")';
       // INSERT INTO `db` (`comment`) VALUES (""foo"")

That produces invalid syntax at best, SQL injection attacks at worst. Using mysql_real_escape_string avoids this:

$query = 'INSERT INTO `db` (`comment`) VALUES ("' . mysql_real_escape_string($comment) . '")';
       // INSERT INTO `db` (`comment`) VALUES ("\"foo\"")

HTML escaping is exactly the same, just with different syntax issues.
You only need to escape your values in the right context using the right method. To escape values for HTML, use htmlentities. Do that at the time it's necessary. Don't prematurely or over-escape your values, only apply the appropriate escape function in the right context at the right time.