This is a migrated thread and some comments may be shown as answers.

Editor usage mysql_real_escape_string

1 Answer 14 Views
Editor
This is a migrated thread and some comments may be shown as answers.
Jan Kaare
Top achievements
Rank 2
Jan Kaare asked on 20 Apr 2013, 07:17 PM
For the MySQL based web page and the Description field insertion and update, I’m used to clean the Description field with the following:

mysql_real_escape_string(Description)

When the Kendo editor is now used, such a clean process screws up the resulting data, and ends in incorrect data when the data is then read back from server for the hyperlinks as an example. For a hyperlink, for the original string http://www.vg.no the resulting string when read back from database becomes \"http://www.vg.no\", the original tooltip "VG sidene" becomes \"VG and the original checked option for Open link in new window becomes unchecked.

Do you have an idea about what’s going on here? How to utilize this standard cleaning mechanism mysql_real_escape_string for the editor usage?

1 Answer, 1 is accepted

Sort by
0
Alex Gyoshev
Telerik team
answered on 23 Apr 2013, 07:27 AM
Hello Jan Kaare,

Please consider using prepared statements instead of mysql_real_escape_string. While the latter may prevent SQL injection attacks, it will not help with XSS exploits. See the following SO thread for more information. The advice of using the HTML Purifier library is also worth taking, as it will secure that only valid content will be saved on the server.

Kind regards,
Alex Gyoshev
the Telerik team
Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
Tags
Editor
Asked by
Jan Kaare
Top achievements
Rank 2
Answers by
Alex Gyoshev
Telerik team
Share this question
or