Jump to content


sanitizing data

  • Please log in to reply
1 reply to this topic

#1 darga333

  • Members
  • PipPipPip
  • Advanced Member
  • 53 posts

Posted 20 April 2006 - 09:07 PM

I just learned about mysql_real_escape_string and stripslashes. This is ofcourse to prevent SQL injection and any other type of malicious activity that experienced hackers could break.

The question:
I use the mysql_real_escape_string right after I receive the POST variables.
Is this the best way to prevent malicious activity through the forms?

I use the stripslashes right before display stuff to the users.
Is this the best way?

And is there anything else that developers should be aware of to ALWAYS include in our scripts?

We want to learn the best coding techniques and I thought you guys might have some input on this.

#2 kenrbnsn

  • Staff Alumni
  • Advanced Member
  • 8,235 posts
  • LocationHillsborough, NJ, USA

Posted 20 April 2006 - 09:51 PM

I don't use mysql_real_escape_string() unless I'm putting the data into the database. You should also look at the [a href=\"http://www.php.net/htmlentities\" target=\"_blank\"]htmlentities()[/a] and [a href=\"http://www.php.net/strip_tags\" target=\"_blank\"]strip_tags()[/a] functions. If you're using contact type forms where the information is collected to be sent via email, you should check your fields for the string "Content-type:", since hackers have been attempting to do email hijacking by putting in their own headers.

Go to the [a href=\"http://phpsec.org/\" target=\"_blank\"]PHP Security Consortium's[/a] web site to get more information.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users