Escaping strings

ChaosKnight · May 1, 2010

Hi, I have a form that posts data to the database, so I'm very concerned about the security...

My question is if this will work?:

    foreach ($_POST as $field => $value){
      $$field = mysql_real_escape_string(strip_tags(trim($value)));
    }

Any help will be greatly appreciated

Ken2k7 · May 1, 2010

What's $$field? You'll need to use $_POST[$field].

Daniel0 · May 1, 2010

What's $$field? You'll need to use $_POST[$field].

http://dk2.php.net/manual/en/language.variables.variable.php

As for the question, you don't need to use strip_tags when inserting into a database, and I would be wary about creating variables dynamically like that. You risk overriding other variables, which is why register globals is discouraged and deprecated.

Ken2k7 · May 1, 2010

What's $$field? You'll need to use $_POST[$field].

http://dk2.php.net/manual/en/language.variables.variable.php

+1

Thank you.

ChaosKnight · May 1, 2010

So is this secure enough to go to the database?:

$message = mysql_real_escape_string($_POST['message']);

Daniel0 · May 1, 2010

Assuming you're using MySQL, yes, that should be sufficient in most cases.

Sign In

Escaping strings

Recommended Posts

ChaosKnight

Link to comment

Share on other sites

Ken2k7

Link to comment

Share on other sites

Daniel0

Link to comment

Share on other sites

Ken2k7

Link to comment

Share on other sites

ChaosKnight

Link to comment

Share on other sites

Daniel0

Link to comment

Share on other sites

Archived

Browse

Activity

Important Information