Jump to content

Sanitize + htmlentities Problem with Accents and Needed Special Characters

nightkarnation

By nightkarnation
in PHP Coding Help

 Share

Recommended Posts

nightkarnation Regular Member

nightkarnation

Posted
Posted

Hey Guys!

I would really like some feedback on the following:

 

I have a site in Portuguese. Php retrieves a lot of POST's with Special Characters and Portuguese Accents (which are expected).

With my sanatize function I am having some real problems with the 'htmlentities' for XSS Injection Prevention.

htmlentities is changing the accents to strange characters and messes up my database.

 

sanitize( &$_GET );
sanitize( &$_POST );
sanitize( &$_COOKIE );

function sanitize( &$some) 
{
$some = array_map('htmlentities', $some); //XSS Prevention

foreach( $some as $key => $value ) 
{
	$value = str_replace( '--', '', $value );
	$value = str_replace( '/*', '', $value );
	$value = str_replace( '"', '', $value );
	$value = str_replace( "'", '', $value );
	$value = ereg_replace( '[\( ]+0x', '', $value );
	if ($value != $some[$key]) 
	{
		$some[$key] = $value;
	}
}
}

 

The only solution I can think of is to take out the 'htmlentities' function, but I would really like to have this as a prevention against XSS, is there any way around this to have both things working?

 

Any ideas, suggestions?

 

Thanks in advance!

Link to comment
Share on other sites
simshaun Newbie

simshaun

Posted
Posted

First, you should be inserting the posted value into your database as is (accented characters, quotes and all) and format your content upon display.

To do this, be sure your db collation (and field collation) is set appropriately.  I recommend utf8_unicode_ci.  Otherwise, the character data may not store correctly. 

Then, ensure your PHP MySQL connection is using utf8 (see mysql_set_charset()). 

Finally, ensure your HTML encoding type is set to utf8.  One way is to put this meta tag in your head tag. 

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

 

Second, I don't recommend using your sanitize() function at all.  It seems as if its primary purpose based on its functionality is for escaping the data for use in a SQL string.  You should either A. be using mysql_real_escape_string() instead, or B. use prepared statements or an abstraction layer that uses parametrized queries.

 

Third (and as a side-note): You should use preg_replace instead of ereg_replace (be sure to add the expression delimiters).

Link to comment
Share on other sites
btherl Member

btherl

Posted
Posted

And remember to use htmlentities() on the data you fetch from the db, before inserting it into the html.  That's where the XSS prevention will happen.  So the process is:

 

Input => mysql_real_escape_string()/prepared statements => db => htmlentities() => insert into HTML output

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.