Editor usage mysql_real_escape_string

2 posts, 1 answers
  1. Answer
    Jan Kaare
    Jan Kaare avatar
    16 posts
    Member since:
    Dec 2010

    Posted 20 Apr 2013 Link to this post

    For the MySQL based web page and the Description field insertion and update, I’m used to clean the Description field with the following:


    When the Kendo editor is now used, such a clean process screws up the resulting data, and ends in incorrect data when the data is then read back from server for the hyperlinks as an example. For a hyperlink, for the original string http://www.vg.no the resulting string when read back from database becomes \"http://www.vg.no\", the original tooltip "VG sidene" becomes \"VG and the original checked option for Open link in new window becomes unchecked.

    Do you have an idea about what’s going on here? How to utilize this standard cleaning mechanism mysql_real_escape_string for the editor usage?
  2. Alex Gyoshev
    Alex Gyoshev avatar
    2527 posts

    Posted 23 Apr 2013 Link to this post

    Hello Jan Kaare,

    Please consider using prepared statements instead of mysql_real_escape_string. While the latter may prevent SQL injection attacks, it will not help with XSS exploits. See the following SO thread for more information. The advice of using the HTML Purifier library is also worth taking, as it will secure that only valid content will be saved on the server.

    Kind regards,
    Alex Gyoshev
    the Telerik team
    Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
Back to Top