tqla Posted May 26, 2009 Share Posted May 26, 2009 Hello. Will this effectively prevent the $_POST["text'] field from being used to attack my database? Or is it overkill? Thanks. $text= htmlentities(strip_tags(trim(mysql_real_escape_string($_POST["text"])))); Link to comment https://forums.phpfreaks.com/topic/159670-solved-is-this-overkill-to-prevent-injection-attacks/ Share on other sites More sharing options...
GingerRobot Posted May 26, 2009 Share Posted May 26, 2009 It's overkill. You only need to be using mysql_real_escape_string to prevent the injection. That is plenty sufficient. You might like to use some of the other functions when you output the data, but probably not before. As a general rule of thumb, you should be looking to preserve the original text as much as possible in the database -- for the simple reason that the specifications might change. You might find that, at some point in the future, you really did want any html tags left in, for example. Link to comment https://forums.phpfreaks.com/topic/159670-solved-is-this-overkill-to-prevent-injection-attacks/#findComment-842125 Share on other sites More sharing options...
tqla Posted May 26, 2009 Author Share Posted May 26, 2009 Thanks GR! Link to comment https://forums.phpfreaks.com/topic/159670-solved-is-this-overkill-to-prevent-injection-attacks/#findComment-842434 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.