tefuzz Posted April 20, 2009 Share Posted April 20, 2009 I am not currently entering the data from my form into a database, this feature will come later on. it is just an email script right now . However, I would like to make sure i am protected in either case. I have seen multiple examples using mysql_real_escape_string() and strip_tags() and strip_slashes(). but which do I use? I am not allowing HTML input in my form, it is all basic information, from small fields (name, address, phone #, email etc) There will however be a text area for comments. Right now I am validating my fields with no "security", and again, I eventually would like to enter the fields to a DB instead of an email, so i ned to be protected from injection. Any info would be great Quote Link to comment Share on other sites More sharing options...
jOE :D Posted April 20, 2009 Share Posted April 20, 2009 You always want to run any doing going into a db through mysql_real_escape_string(), but then there are other methods/functions for sanitizing things like HTML or non alpha numeric characters. Quote Link to comment Share on other sites More sharing options...
teynon Posted April 20, 2009 Share Posted April 20, 2009 htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES); Thats one way to strip out some quotes. You really need to validate your input. Quote Link to comment Share on other sites More sharing options...
tefuzz Posted April 20, 2009 Author Share Posted April 20, 2009 [quote author=jOE link=topic=248705.msg1164671#msg1164671 date=1240190038] You always want to run any doing going into a db through mysql_real_escape_string(), but then there are other methods/functions for sanitizing things like HTML or non alpha numeric characters. like i said, my fields are all basic things like name, email telephone etc. how about things like zip codes? just check if its all numbers, and a correct length? Quote Link to comment Share on other sites More sharing options...
jackpf Posted April 20, 2009 Share Posted April 20, 2009 mysql_real_escape_string(htmlspecialchars($string)); That should protect you against most attacks. Quote Link to comment Share on other sites More sharing options...
teynon Posted April 20, 2009 Share Posted April 20, 2009 tefuzz, validate your input. name should be textual if (ctype_alpha($name)), email: preg_match("%^[a-zA-Z0-9_-]+@[a-zA-Z0-9_-]+\.[a-zA-Z0-9]{3}%"), telephone: ctype_digit or preg_match("@[0-9]{3}-[0-9]{3}-[0-9]{4}@"), etc. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.