Andy17 Posted June 18, 2009 Share Posted June 18, 2009 Hey guys, In my script I am pulling out data from my MySQL database that has previously been inserted by a user from another script. I am therefore wondering how to make it as secure as possible for displaying this information on my website. I am thinking of preventing the user from entering bad code (redirecting javascript for instance). This is something I quickly put together: <?php // Finding the row here $title = stripslashes(strip_tags(htmlspecialchars(htmlentities($row['title'], ENT_QUOTES)))); ?> How safe is the code below and did I forget something/is something redundant? Do you know of any improvements? Remember that I want to display it to the users so that's why I need it to be very safe. I did Google and search for a bit but didn't find exactly what I was looking for. If it has been up recently, I apologize. Thank you in advance. Link to comment https://forums.phpfreaks.com/topic/162783-pulling-out-mysql-data-security/ Share on other sites More sharing options...
RussellReal Posted June 18, 2009 Share Posted June 18, 2009 #1 you shouldn't need to "strip slashes" and you can display html tags with htmlentities applied to it try this: $title = htmlentities($row['title']); and that should work just fine, but you could do ENT_QUOTES to keep the quotes from killing anything other than that, with all the < and > turned to html entities, they can't do any html, with no html they can't do javascript, with no javascript they can't do anything to anybody Link to comment https://forums.phpfreaks.com/topic/162783-pulling-out-mysql-data-security/#findComment-859016 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.