Ashley Sheridan wrote:
> On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote:
>> mysql_real_escape_string() only sanitise the input. I would personally
>> only allow [a-zA-Z0-9-_] in search string but that's just me ;)
>> Validate the input in some way, or make extra sanitisation of it
>> before running the search query.
>> Regarding the HTML output, just entities() it and you'll be good :)
>> On Wed, Jun 10, 2009 at 6:32 PM, Ashley Sheridan
>> <> wrote:
>>         On Wed, 2009-06-10 at 18:18 +0200, Nitsan Bin-Nun wrote:
>>         > As far for the output, just html entities () it and you will
>>         be good.
>>         >
>>         > You better check the search query for sql injection, which
>>         is more
>>         > dangerous.
>>         >
>>         > HTH
>>         > Nitsan
>>         >
>>         > On Wed, Jun 10, 2009 at 6:19 PM, Ashley Sheridan
>>         > <> wrote:
>>         >         Hi all,
>>         >
>>         >         I'm looking at adding a new search feature to my
>>         site, and one
>>         >         of the
>>         >         elements of this is to echo back in the search
>>         results page,
>>         >         the
>>         >         original string the user searched for. Up until now,
>>         XSS
>>         >         hasn't (afaik)
>>         >         been an issue for my site, but I can see from a mile
>>         off this
>>         >         will be.
>>         >         What would you guys recommend to avoid this?
>>         >
>>         >         I'd thought initially of using a mixture of
>>         >         html_special_chars() and a
>>         >         regex (as yet not sure what I'll be stripping out
>>         with this)
>>         >         to sanitise
>>         >         the output for display on the results page, but is
>>         this
>>         >         enough?
>>         >
>>         >         Thanks
>>         >         Ash
>>         >
>>         >
>>         >
>>         I always use mysql_real_escape_string() for that sort of
>>         thing, not had
>>         a problem with it, but is there anything you think I should be
>>         wary of?
>>         Thanks
>>         Ash
> [just bringing it back on list]
> Well, I don't understand, what is the problem with
> mysql_real_escape_string() for sanitising input to use for a search? It
> should escape anything out so that the query can't be used in ways that
> I don't want no?
> I'd thought about using a whitelist-only regex, but that seems a little
> limiting tbh, and as my site contains code, it's not unreasonable to
> expect some people might want to search for particular code excerpts.
> Thanks
> Ash

You would use mysql_real_escape_string() before using the string in a db
query (searching).  You should use htmlentities() and/or strip tags
before displaying the string.


PHP General Mailing List (
To unsubscribe, visit:

Reply via email to