CloudSex13 Posted October 27, 2010 Share Posted October 27, 2010 Hi all, Thanks for reading. I'm developing my first website with user registration, login, and account settings, and I was wondering what the best way would be to prevent the site from security flaws, SQL injection, etc. I've read up on it, but, as an example, would the following be suitable? $username = trim(stripslashes(mysql_real_escape_string($_POST['username']))); I guess what I'm asking is, is the above normal? Is there a simpler way to make input from the user secure? Thank you. Link to comment https://forums.phpfreaks.com/topic/217041-safest-secure-way-for-handling-post-variables/ Share on other sites More sharing options...
BlueSkyIS Posted October 27, 2010 Share Posted October 27, 2010 what I do to request values that are going into the database: $somevar = trim($_POST['somevar']); // trim off extra space if (get_magic_quotes_gpc()) { // if magic_quotes is turned on, strip slashes $somevar = stripslashes($somevar); } $somevar = mysql_real_escape_string($somevar); // $somevar is safe for database by the way, don't put stripslashes() around mysql_real_escape_string, because stripslashes will strip the slashes out that mysql_real_escape_string puts in. Link to comment https://forums.phpfreaks.com/topic/217041-safest-secure-way-for-handling-post-variables/#findComment-1127264 Share on other sites More sharing options...
AbraCadaver Posted October 27, 2010 Share Posted October 27, 2010 You only want to stripslashes() if you have magic_quotes_gpc enabled and in your example you are possibly adding slashes with mysql_real_escape_string() and then immediately stripping them. You could probably do something like this: if(magic_quotes_gpc()) { $_POST = array_map('stripslashes', $_POST); } $_POST = array_map('mysql_real_escape_string', $_POST); Beat me to it! So I will also add the trim: $_POST = array_map('mysql_real_escape_string', array_map('trim', $_POST)); Link to comment https://forums.phpfreaks.com/topic/217041-safest-secure-way-for-handling-post-variables/#findComment-1127265 Share on other sites More sharing options...
BlueSkyIS Posted October 27, 2010 Share Posted October 27, 2010 ^ much more concise. i need to remember to use array_map. Link to comment https://forums.phpfreaks.com/topic/217041-safest-secure-way-for-handling-post-variables/#findComment-1127266 Share on other sites More sharing options...
CloudSex13 Posted October 27, 2010 Author Share Posted October 27, 2010 BlueSkyIS, AbraCadaver: Brilliant replies - thank you kindly for the suggested feedback! Additionally, the PHP.net manual seems to state that Magic Quotes are now deprecated. Is this still the most efficient way to manage secure POST variables? I'm sure I'm just missing something, as my knowledge with "Magic Quotes" is limited. Ref: http://php.net/manual/en/security.magicquotes.php Thank you again. Link to comment https://forums.phpfreaks.com/topic/217041-safest-secure-way-for-handling-post-variables/#findComment-1127268 Share on other sites More sharing options...
AbraCadaver Posted October 27, 2010 Share Posted October 27, 2010 It's deprecated as of 5.3, so if you will only be running 5.3+ then there is no need to worry about this. Link to comment https://forums.phpfreaks.com/topic/217041-safest-secure-way-for-handling-post-variables/#findComment-1127318 Share on other sites More sharing options...
CloudSex13 Posted October 28, 2010 Author Share Posted October 28, 2010 Thanks very much! I now understand. Link to comment https://forums.phpfreaks.com/topic/217041-safest-secure-way-for-handling-post-variables/#findComment-1127536 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.