Jump to content


This topic is now archived and is closed to further replies.


sanitizing data

Recommended Posts

I just learned about mysql_real_escape_string and stripslashes. This is ofcourse to prevent SQL injection and any other type of malicious activity that experienced hackers could break.

The question:
I use the mysql_real_escape_string right after I receive the POST variables.
Is this the best way to prevent malicious activity through the forms?

I use the stripslashes right before display stuff to the users.
Is this the best way?

And is there anything else that developers should be aware of to ALWAYS include in our scripts?

We want to learn the best coding techniques and I thought you guys might have some input on this.

Share this post

Link to post
Share on other sites
I don't use mysql_real_escape_string() unless I'm putting the data into the database. You should also look at the [a href=\"http://www.php.net/htmlentities\" target=\"_blank\"]htmlentities()[/a] and [a href=\"http://www.php.net/strip_tags\" target=\"_blank\"]strip_tags()[/a] functions. If you're using contact type forms where the information is collected to be sent via email, you should check your fields for the string "Content-type:", since hackers have been attempting to do email hijacking by putting in their own headers.

Go to the [a href=\"http://phpsec.org/\" target=\"_blank\"]PHP Security Consortium's[/a] web site to get more information.


Share this post

Link to post
Share on other sites


Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.