Yeodan Posted May 2, 2009 Share Posted May 2, 2009 I'm currently using mysql_real_escape_string for all the user input on my pages, is that secure enough or should I do more / other things to the user input before using it / sending it to my database? Quote Link to comment Share on other sites More sharing options...
ignace Posted May 2, 2009 Share Posted May 2, 2009 Well that depends you could ofcourse also use strip_tags() if you don't want any html tags in your database Quote Link to comment Share on other sites More sharing options...
Yeodan Posted May 2, 2009 Author Share Posted May 2, 2009 Well that depends you could ofcourse also use strip_tags() if you don't want any html tags in your database are html tags capable of doing anything bad or wrong in my database? or will they do anything bad to the way my website looks? if not I don't really mind, but I guess they will? =( Quote Link to comment Share on other sites More sharing options...
the182guy Posted May 2, 2009 Share Posted May 2, 2009 mysql_real_escape_string() is secure enough to prevent SQL Injection attacks when taking user input and storing it in the database. Should note that this function sends the data to the database to be escaped, so if for example you are looping a lot of queries, or inserting a long list of fields (such as a registration form) then the database is going to take a lot of hits. An alternative in that case is MySQLi Prepared Statements, which will take care of all the SQL Injection prevention for you. If you are displaying user input on the page then you should consider removing any HTML tags because if you don't you would be vulnerable to an XSS (aka cross site scripting) attack, basically where a user could insert malicious javascript into the page. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.