Similar and confusing syntax

[vijdev]

Can someone please help me with the following.I have gone from zero to all understood to all confused!

When to use what, and which is the best method to not get my site hacked with injections,etc.?

Should I use more than any one of the below simultaneously and in what instances?

strip_ tags()

htmlentities()

striplslashes()

mysql_real_escape_string()

addslashes()

trim()

htmlspecialchars()

urlencode()

and any other similar working ones()

[Zyx]

One of the following:

 

mysql_real_escape_string()

addslashes()

 

should be used on inserting the string data to the database. Note that you must watch out for magic quotes and that it won't protect your data are not enclosed within quotes. Another good thing to protect against SQL Injection is using PDO and data binding.

 

One of the following:

 

htmlspecialchars()

strip_ tags()

 

When you display the data on a HTML page and you don't want user to use HTML in this particular field. The actual choice depends on what you need. For example, I prefer htmlspecialchars() which changes special HTML characters into entities, so that they act normally. Sometimes the users might want to put them, but they do not indend to do anything bad, especially - injecting HTML.

 

Note that none of these functions prevents you against JS injection in attributes.

[Daniel0]

One of the following:

 

mysql_real_escape_string()

addslashes()

 

No, you shouldn't use addslashes() when inserting into a database. It isn't sufficient.

[vijdev]

am getting a little idea, but need miles to go...

[vijdev]

still waiting!!!!