Prevent textbox injections

[Bman900]

I know you guys said this many times before but what do you have to attach to a form so people can't inject harmful code?

[premiso]

You cannot ban them from injecting harmful code, but you can stop the code from running.

 

For example, if the text box is to be for a user's name, chances are they will not need to enter any html tags, so a simple strip_tags will prevent an XSS exploit and if it is going into the database, filtering the data or at least mysql_real_escape_stringing the data will prevent SQL Injection. For a more thorough description see this PHP Security Tutorial.

[Bman900]

So can I just use mysql_real_escape_string() on all my text boxes instead of the strip tags?

[premiso]

So can I just use mysql_real_escape_string() on all my text boxes instead of the strip tags?

 

Read the tutorial.

 

But as I said, strip_tags will prevent XSS exploits, if the text box is not suppose to contain HTML / JavaScript. XSS exploits is basically someone writing javascript code that gets run on the page which can inject cookies / redirect users to certain pages etc.  Those 2 functions prevent 2 seperate items.

 

If you are allowing HTML (not to be executed) in a textbox, you will want to look into htmlentities. Since this has been hit so many times, and I have given you the terms to search for, I will not go into greater detail on how to "secure" your script. Look at the tutorial I posted and google "prevent xss php" for more information. You can read and do research as well as I can, and since you are the one who wants to learn this, I will let you do the research.