tefuzz Posted April 20, 2009 Share Posted April 20, 2009 I am not currently entering the data from my form into a database, this feature will come later on. it is just an email script right now . However, I would like to make sure i am protected in either case. I have seen multiple examples using mysql_real_escape_string() and strip_tags() and strip_slashes(). but which do I use? I am not allowing HTML input in my form, it is all basic information, from small fields (name, address, phone #, email etc) There will however be a text area for comments. Right now I am validating my fields with no "security", and again, I eventually would like to enter the fields to a DB instead of an email, so i ned to be protected from injection. Any info would be great Link to comment https://forums.phpfreaks.com/topic/154812-protecting-forms-from-user-input/ Share on other sites More sharing options...
jOE :D Posted April 20, 2009 Share Posted April 20, 2009 You always want to run any doing going into a db through mysql_real_escape_string(), but then there are other methods/functions for sanitizing things like HTML or non alpha numeric characters. Link to comment https://forums.phpfreaks.com/topic/154812-protecting-forms-from-user-input/#findComment-814193 Share on other sites More sharing options...
teynon Posted April 20, 2009 Share Posted April 20, 2009 htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES); Thats one way to strip out some quotes. You really need to validate your input. Link to comment https://forums.phpfreaks.com/topic/154812-protecting-forms-from-user-input/#findComment-814200 Share on other sites More sharing options...
tefuzz Posted April 20, 2009 Author Share Posted April 20, 2009 [quote author=jOE link=topic=248705.msg1164671#msg1164671 date=1240190038] You always want to run any doing going into a db through mysql_real_escape_string(), but then there are other methods/functions for sanitizing things like HTML or non alpha numeric characters. like i said, my fields are all basic things like name, email telephone etc. how about things like zip codes? just check if its all numbers, and a correct length? Link to comment https://forums.phpfreaks.com/topic/154812-protecting-forms-from-user-input/#findComment-814202 Share on other sites More sharing options...
jackpf Posted April 20, 2009 Share Posted April 20, 2009 mysql_real_escape_string(htmlspecialchars($string)); That should protect you against most attacks. Link to comment https://forums.phpfreaks.com/topic/154812-protecting-forms-from-user-input/#findComment-814204 Share on other sites More sharing options...
teynon Posted April 20, 2009 Share Posted April 20, 2009 tefuzz, validate your input. name should be textual if (ctype_alpha($name)), email: preg_match("%^[a-zA-Z0-9_-]+@[a-zA-Z0-9_-]+\.[a-zA-Z0-9]{3}%"), telephone: ctype_digit or preg_match("@[0-9]{3}-[0-9]{3}-[0-9]{4}@"), etc. Link to comment https://forums.phpfreaks.com/topic/154812-protecting-forms-from-user-input/#findComment-814217 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.