Andy17 Posted June 18, 2009 Share Posted June 18, 2009 Hey guys, In my script I am pulling out data from my MySQL database that has previously been inserted by a user from another script. I am therefore wondering how to make it as secure as possible for displaying this information on my website. I am thinking of preventing the user from entering bad code (redirecting javascript for instance). This is something I quickly put together: <?php // Finding the row here $title = stripslashes(strip_tags(htmlspecialchars(htmlentities($row['title'], ENT_QUOTES)))); ?> How safe is the code below and did I forget something/is something redundant? Do you know of any improvements? Remember that I want to display it to the users so that's why I need it to be very safe. I did Google and search for a bit but didn't find exactly what I was looking for. If it has been up recently, I apologize. Thank you in advance. Quote Link to comment https://forums.phpfreaks.com/topic/162783-pulling-out-mysql-data-security/ Share on other sites More sharing options...
RussellReal Posted June 18, 2009 Share Posted June 18, 2009 #1 you shouldn't need to "strip slashes" and you can display html tags with htmlentities applied to it try this: $title = htmlentities($row['title']); and that should work just fine, but you could do ENT_QUOTES to keep the quotes from killing anything other than that, with all the < and > turned to html entities, they can't do any html, with no html they can't do javascript, with no javascript they can't do anything to anybody Quote Link to comment https://forums.phpfreaks.com/topic/162783-pulling-out-mysql-data-security/#findComment-859016 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.