Jump to content

Pulling out MySQL data - security


Andy17

Recommended Posts

Hey guys,

 

In my script I am pulling out data from my MySQL database that has previously been inserted by a user from another script. I am therefore wondering how to make it as secure as possible for displaying this information on my website. I am thinking of preventing the user from entering bad code (redirecting javascript for instance).

 

This is something I quickly put together:

 

<?php

// Finding the row here

$title = stripslashes(strip_tags(htmlspecialchars(htmlentities($row['title'], ENT_QUOTES))));

?>

 

How safe is the code below and did I forget something/is something redundant? Do you know of any improvements? Remember that I want to display it to the users so that's why I need it to be very safe.

 

I did Google and search for a bit but didn't find exactly what I was looking for. If it has been up recently, I apologize.

 

Thank you in advance.

Link to comment
https://forums.phpfreaks.com/topic/162783-pulling-out-mysql-data-security/
Share on other sites

#1 you shouldn't need to "strip slashes" and you can display html tags with htmlentities applied to it

 

try this:

 

$title = htmlentities($row['title']);

 

and that should work just fine, but  you could do ENT_QUOTES to keep the quotes from killing anything

 

other than that, with all the < and > turned to html entities, they can't do any html, with no html they can't do javascript, with no javascript they can't do anything to anybody :)

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.