LanceT Posted April 16, 2007 Share Posted April 16, 2007 Do you think using the htmlspecialchars function makes user input safe for the mysql database? If not, what other exploits are there? Do I really need to add more to make my user input secure? Quote Link to comment Share on other sites More sharing options...
marcus Posted April 16, 2007 Share Posted April 16, 2007 htmlspecialchars will replace certain characters into their ASCII form. For example: A < will be replaced as < A > will be replaced as > The safest way (in my opinion) would to use mysql_real_escape_string() before you enter information into your database. Quote Link to comment Share on other sites More sharing options...
Hughesy1986 Posted April 16, 2007 Share Posted April 16, 2007 If you are just looking to remove the html then strip_tags is the best option as you can allow certain tags aswell. <?php $var = "<script type='text/javascript'>window.location(http://www.ebay.co.uk)</script><b>Hi</b>"; $var = strip_tags($var, '<b>'); echo $var; ?> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.