Hi
i am at prototype stage with my site. After I asked this question in this site and after extra readings I concluded to use mysql prepared statements
.
With my new way of thinking I want to be sure that I understood the things correctly so my 2 questions are:
if I use prepared statements during untrusted data insertion into
mysql, I need NOT to use mysqli_real_escape_string function
. Am I
right?
if I use prepared statements while fetching & displaying data from mysql db to screen as html, (for security reasons) it will be better to use html purifier class, so I should use html purifier class. Am I right?
Can you please guide me with my way of thinking? Does my method make sense?
Thanks,BR
if I use prepared statements during untrusted data insertion into mysql, I need NOT to use mysqli_real_escape_string function. Am I right?
You got the point. Prepared statement has their own escape procedure.
if I use prepared statements while fetching & displaying data from mysql db to screen as html, (for security reasons) it will be better to use html purifier class, so I should use html purifier class. Am I right?
You are also right. When you print your html you have to be sure it is safe so they are two solution : the radical one : escaping everithing with htmlspecialchars
or the softer one that allows safe html tags : using htmlpurifier
.
I also want you to introduce you to a rule that will bring you to a secured and more comfortable website : filter in escape out.
prepared statement and htmlpurifier
are here to "escape out" that means you will send your datas in a way they are understandable to your output.
The filter in part of the rull makes you study what your users input. A nice example would be date formats.
Perhaps you want them to enter a date with the english format Y-m-d. If they don't your website won't work so you have to ask them to enter the date again the right way.
There is one method to remember about filtering : filter_var