htmlentities(), strip_tags(), utf8_decode(), stripslashes ()

Miss-Ruth · December 8, 2010

I'm using the following filters to prevent email injection. Is this sufficient to prevent an injection/hijacking? or am I missing something?

$email = $_POST['email'];
$email = strip_tags($email);
$email = htmlentities($email);
$email =utf8_decode($email);
$email = stripslashes ($email);
$email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL);

I really appreciate your feedback.

fenway · December 8, 2010

Removing tags, html entities, UTF-8 characters, slashes and non-email characters won't help you in you haven't escaped SQL metacharacters.

Miss-Ruth · December 9, 2010

is that "preg_match()"?

fenway · December 9, 2010

is that "preg_match()"?

Nope -- that's just a regex call.

Miss-Ruth · December 10, 2010

Nope -- that's just a regex call.

Well... what's the function are you referring to?

fenway · December 10, 2010

Usually the DB interface class exposes some sort of quote() function... depends on how you're connecting.

Miss-Ruth · December 10, 2010

Interesting. Please tell me what do you mean by "depends on how you're connecting".

fenway · December 10, 2010

I mean it depends which DB class you're using.

Sign In

htmlentities(), strip_tags(), utf8_decode(), stripslashes ()

Recommended Posts

Miss-Ruth

Link to comment

Share on other sites

fenway

Link to comment

Share on other sites

Miss-Ruth

Link to comment

Share on other sites

fenway

Link to comment

Share on other sites

Miss-Ruth

Link to comment

Share on other sites

fenway

Link to comment

Share on other sites

Miss-Ruth

Link to comment

Share on other sites

fenway

Link to comment

Share on other sites

Join the conversation

Browse

Activity

Important Information