I am putting a serialized data to database. Data comes from input field and it can be anything (string), also with quotes signs. Serialized data I encode with base64 to preserve serialize to result error. But quotes marks became \'. I am aware that it is mysql injection remedy, and encoded data has crypted \' signs. Magic_quotes are on. Here's the code:
$_POST['post']:
[0] => this is \"test\"
[1] => test2
[2] => quotes \"\"
php:
$db = base64_encode(serialize($_POST['post']));
Now i get serialized and encoded data. When I try to retrieve it:
[mysql functions to retrieve row]
$arr = unserialize(base64_decode($arr));
foreach ( $arr as $arr1 ) {
$arr2[] = stripslashes($arr1);
}
print_r($arr2);
After data retrieval I get as intended:
$arr2:
[0] => this is "test"
[1] => test2
[2] => quotes ""
Question is: is it mysql injection safe? Is it safe at all to put data from arr2 into html page into input fields and body of page? If not what would be a good method to do it? Should I use html_escape and mysql_special like functions ?
Thanks in advance :)
EDIT: string data from database will be used only as a value of input and textarea html tags.
It's happening because you've got magic quotes enabled. Magic quotes are deprecated.
Since you're using your own method to avoid injection issues, if you are unable to change the magic quotes setting for your installation, then stripslashes before you base64_encode the data - not when you decode it.
(I assume you are aware that the data structure you are creating is opaque to the DBMS thereby breaking normalization rules and making it impossible to query the data effectively).
string data from database will be used only as a value of input and textarea html tags.
So you may (at a significant cost) have solved the sql injection problem but are not bothered about XSS attacks?
Use the provided functions for changing the representation of data according to where you are sending the data (i.e. mysql_real_escape_string, htmlentities etc).
Change:
$db = base64_encode(serialize($_POST['post']));
to
$db = mysql_real_escape_string(base64_encode(serialize($_POST['post'])));
And it will be injection-free.