Pulling out MySQL data - security

[Andy17]

Hey guys,

 

In my script I am pulling out data from my MySQL database that has previously been inserted by a user from another script. I am therefore wondering how to make it as secure as possible for displaying this information on my website. I am thinking of preventing the user from entering bad code (redirecting javascript for instance).

 

This is something I quickly put together:

 

<?php

// Finding the row here

$title = stripslashes(strip_tags(htmlspecialchars(htmlentities($row['title'], ENT_QUOTES))));

?>

 

How safe is the code below and did I forget something/is something redundant? Do you know of any improvements? Remember that I want to display it to the users so that's why I need it to be very safe.

 

I did Google and search for a bit but didn't find exactly what I was looking for. If it has been up recently, I apologize.

 

Thank you in advance.

[RussellReal]

#1 you shouldn't need to "strip slashes" and you can display html tags with htmlentities applied to it

 

try this:

 

$title = htmlentities($row['title']);

 

and that should work just fine, but  you could do ENT_QUOTES to keep the quotes from killing anything

 

other than that, with all the < and > turned to html entities, they can't do any html, with no html they can't do javascript, with no javascript they can't do anything to anybody