Jump to content


Photo

MySQL + PHP Best Practices.


  • Please log in to reply
2 replies to this topic

#1 SharkBait

SharkBait
  • Members
  • PipPipPip
  • Advanced Member
  • 845 posts
  • LocationMetro Vancouver, BC

Posted 11 September 2006 - 05:23 PM

HI,

When using PHP with MySQL what are some good rules for processing $_GET variables?

Should each $_GET[] had a mysql_real_escape_string() thrown around it to help with possible injections?

What are your recommendations without using a 3rd party class?

#2 obsidian

obsidian
  • Staff Alumni
  • Advanced Member
  • 3,202 posts
  • LocationSeattle, WA

Posted 11 September 2006 - 05:38 PM

as far as the first one, it really depends on the type of input field, but as a general rule, every user  input should at the very least get escaped with addslashes() or mysql_real_escape_string() before being inserted. you should probably run strip_tags() and some other checks on it as well. it's usually a good practice to write up a function or even a class to give you more control and simply pass your $_POST through it on each submit.
You can't win, you can't lose, you can't break even... you can't even get out of the game.

<?php
while (count($life->getQuestions()) > 0)
{   $life->study(); } ?>
  LINKS: PHP: Manual MySQL: Manual PostgreSQL: Manual (X)HTML: Validate It! CSS: A List Apart | IE bug fixes | Zen Garden | Validate It! JavaScript: Reference Cards RegEx: Everything RegEx

#3 SharkBait

SharkBait
  • Members
  • PipPipPip
  • Advanced Member
  • 845 posts
  • LocationMetro Vancouver, BC

Posted 11 September 2006 - 05:56 PM

I'll look into doing a function/class for this. Thanks obsidian




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users