dropfaith Posted October 16, 2008 Share Posted October 16, 2008 So im working on some security stuff for my site i already use mysql real escape string and $Contact = htmlentities($cContact,ENT_QUOTES,"utf-8"); when inputing data to the db and then mysql real escape string again when i pull data back out by type in urls like http://www.lawrenceguide.org/events/events.php?Type=Art it has recently come to my attention that i should also use the trim() function but in wondering if i need to do that on insert or as im pulling data from the db or both? Also any other advise on blocking sql injection and xss attacks would be awesome Link to comment https://forums.phpfreaks.com/topic/128635-trim/ Share on other sites More sharing options...
kenrbnsn Posted October 16, 2008 Share Posted October 16, 2008 It's my understanding that you should use mysql_real_escape_string() when inserting data into the database and htmlentities() when displaying data to the screen. Using mysql_real_escape_string() when displaying data is only going to clutter your output with backslashes. Ken Link to comment https://forums.phpfreaks.com/topic/128635-trim/#findComment-666663 Share on other sites More sharing options...
dropfaith Posted October 16, 2008 Author Share Posted October 16, 2008 hrmm and not use trim? im expecting user input from people i dont know at all so i cant really risk a trust system on these users so im looking to make this as secure as possible only using mysql real escape string doesnt seem like it would be enough Link to comment https://forums.phpfreaks.com/topic/128635-trim/#findComment-666666 Share on other sites More sharing options...
Lodius2000 Posted October 16, 2008 Share Posted October 16, 2008 spaces occupy space in your db just as anything else, i use trim on all my text type input fields, even before error checking, so when my dad (computer doofus) tries to log in and lays on his spacebar for a half an hour and doesnt notice, then types his username, it is the same with or without the spaces Link to comment https://forums.phpfreaks.com/topic/128635-trim/#findComment-666669 Share on other sites More sharing options...
kenrbnsn Posted October 16, 2008 Share Posted October 16, 2008 I forgot to mention trim. Sorry. Use mysql_real_escape_string(trim(stripslashes($var))) Why don't you think just using mysql_real_escape_string() isn't enough. It escapes potentially bad input so the bad input doesn't do bad things to your query. Ken Link to comment https://forums.phpfreaks.com/topic/128635-trim/#findComment-666671 Share on other sites More sharing options...
dropfaith Posted October 16, 2008 Author Share Posted October 16, 2008 not that i dont use mysql escape string i just dont see it as the best security without other things like only using mysql escape string seems to easy to block all sql and xss im new to php and refuse to beleive they made an option that easy hah Link to comment https://forums.phpfreaks.com/topic/128635-trim/#findComment-666673 Share on other sites More sharing options...
dropfaith Posted October 16, 2008 Author Share Posted October 16, 2008 okay so im now using mysql_real_escape_string(trim(stripslashes($var))) on all inputs took me awhile to update so your saying now just use htmlentities($cContact,ENT_QUOTES,"utf-8"); on pulling data back out and nothing else? Also if theres any mods reading this maybe we should add a sticky for security with this kind of info seems like it would come up alot Link to comment https://forums.phpfreaks.com/topic/128635-trim/#findComment-666695 Share on other sites More sharing options...
darkfreaks Posted October 16, 2008 Share Posted October 16, 2008 why do we need a security thread when there is obvious security tutorials Link to comment https://forums.phpfreaks.com/topic/128635-trim/#findComment-666697 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.