tqla Posted May 26, 2009 Share Posted May 26, 2009 Hello. Will this effectively prevent the $_POST["text'] field from being used to attack my database? Or is it overkill? Thanks. $text= htmlentities(strip_tags(trim(mysql_real_escape_string($_POST["text"])))); Quote Link to comment Share on other sites More sharing options...
GingerRobot Posted May 26, 2009 Share Posted May 26, 2009 It's overkill. You only need to be using mysql_real_escape_string to prevent the injection. That is plenty sufficient. You might like to use some of the other functions when you output the data, but probably not before. As a general rule of thumb, you should be looking to preserve the original text as much as possible in the database -- for the simple reason that the specifications might change. You might find that, at some point in the future, you really did want any html tags left in, for example. Quote Link to comment Share on other sites More sharing options...
tqla Posted May 26, 2009 Author Share Posted May 26, 2009 Thanks GR! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.