Securing Variables...

[Xiode]

I have been searching and searching for a fail proof method of securing my variables... I don't know if I have quite gotten there yet...

 

I can use mysql_real_escape_string() to secure $var going into the DB.

 

I can use stripslahes() for stuff coming out fo the DB.

 

What should I use to Secure $_POST and $_GET $vars until they get to the DB?

Should I $var = addslashes($_GET['var']); or $var = htmlspecialchars($_GET['var'], ENT_QUOTES);.

 

But I also should have a separate check for $vars like $id to make sure they are actually a #.

[papaface]

mysql_real_escape_string() sanitizes the code that goes into the db. So unless I am wrong, that is all you need to use.

[Xiode]

But what about all the data being passed though $_POST and $_GET... Cause some of this is going to be used in sticky forms... Now...

 

Do I need runtime on to have posted data cleaned by MQ?

magic_quotes_gpc On On

magic_quotes_runtime Off Off

magic_quotes_sybase Off Off

[papaface]

I use this at the top of every page (using an include):

if(!function_exists(mysql_real_escape_array)) 
{
function mysql_real_escape_array($t)
	{
return array_map("mysql_real_escape_string",$t);
	}
}
mysql_real_escape_array($_GET);
mysql_real_escape_array($_POST);

 

That sanitizes the $_POST and $_GET arrays, so you dont have to do it for every single variable.