raslin Posted April 27, 2010 Share Posted April 27, 2010 i am using php 5 and this is the way i securing data: to be sure its an integer: $var = (int) $_POST["var"]; to work with any string: $var = htmlspecialchars($var, ENT_QUOTES); is this enough? do i need to add mysql_real_escape_string or the code above is enough for everything? thanks alot! Quote Link to comment https://forums.phpfreaks.com/topic/199877-2-questions-about-security/ Share on other sites More sharing options...
trq Posted April 27, 2010 Share Posted April 27, 2010 Assuming your going to be using the data in database queries then of course you still need to escape your data properly. the above snippets do NOTHING to protect you against sql injections. Quote Link to comment https://forums.phpfreaks.com/topic/199877-2-questions-about-security/#findComment-1049119 Share on other sites More sharing options...
raslin Posted April 27, 2010 Author Share Posted April 27, 2010 wow, thanks alot! adding mysql_real_escape_string to every post and get in enough to secure data that works with mySql? thanks again! Quote Link to comment https://forums.phpfreaks.com/topic/199877-2-questions-about-security/#findComment-1049124 Share on other sites More sharing options...
Mchl Posted April 27, 2010 Share Posted April 27, 2010 Actually casting to int is a good protection against injection. Quote Link to comment https://forums.phpfreaks.com/topic/199877-2-questions-about-security/#findComment-1049185 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.