protecting forms from user input

[tefuzz]

I am not currently entering the data from my form into a database, this feature will come later on. it is just an email script right now . However, I would like to make sure i am protected in either case. I have seen multiple examples using mysql_real_escape_string() and strip_tags() and strip_slashes(). but which do I use?

 

I am not allowing HTML input in my form, it is all basic information, from small fields (name, address, phone #, email etc) There will however be a text area for comments. Right now I am validating my fields with no "security", and again, I eventually would like to enter the fields to a DB instead of an email, so i ned to be protected from injection. Any info would be great

[jOE :D]

You always want to run any doing going into a db through mysql_real_escape_string(), but then there are other methods/functions for sanitizing things like HTML or non alpha numeric characters.

[teynon]

htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);

 

Thats one way to strip out some quotes. You really need to validate your input.

[tefuzz]

[quote author=jOE link=topic=248705.msg1164671#msg1164671 date=1240190038]

You always want to run any doing going into a db through mysql_real_escape_string(), but then there are other methods/functions for sanitizing things like HTML or non alpha numeric characters.

 

like i said, my fields are all basic things like name, email telephone etc. how about things like zip codes? just check if its all numbers, and a correct length?

[jackpf]

mysql_real_escape_string(htmlspecialchars($string));

That should protect you against most attacks.

[teynon]

tefuzz, validate your input. name should be textual if (ctype_alpha($name)), email: preg_match("%^[a-zA-Z0-9_-]+@[a-zA-Z0-9_-]+\.[a-zA-Z0-9]{3}%"), telephone: ctype_digit or preg_match("@[0-9]{3}-[0-9]{3}-[0-9]{4}@"), etc.