security question

[dadamssg]

i was wondering if it would be best to mysqli escape and trim and what-not $_POST values before they're even compared to the db. I have a login script that checks to see if the username already exists so it puts the post value in the query to check...is that dangerous to do without escaping? or does it not matter since its only comparing and not inserting in the db?

[Mchl]

You should escape all data coming from user that is used in ANY query.

 

[dadamssg]

what would be the best way to escape everything and make it safe

 

somethin like this?

 

$variable = mysqli_escape_string(trim($_POST['username']))

 

isn't there one that escapes html as well?

[Mchl]

There is, but you only need to use it on data, that will be stored in database.

 

Imagine user inputs his nickname as

<h1>Mchl</h1>

 

Obviously you wouldn't like it to appear as a header to spoil your page's layout, so you use htmlentities to change all < and > to < and >

[dadamssg]

ok, so there is no need to do it when using a login, not register script, where it only compares to whats in the db, not store it in the db?

[Mchl]

Does

<h1>Mchl</h1>

equal

<h1>Mchl</h1>

?

 

Not really... If you stored data using htmlentities, you must use htmlentities to select it. Otherwise MySQL will not find a match.