SyLon Posted December 6, 2007 Share Posted December 6, 2007 Hello everyone! After reading some php security articles, I've created 2 function to prevent sql injection and display html tags correctly. The first one is for user input formatting: function _INPUT($name) { if ($_SERVER['REQUEST_METHOD'] == 'GET') return mysql_real_escape_string(strip_tags($_GET[$name])); if ($_SERVER['REQUEST_METHOD'] == 'POST') return mysql_real_escape_string(strip_tags($_POST[$name])); } The second one is for output: function _STR($string) { return nl2br(htmlspecialchars(stripcslashes($string))); } What do you think about those two function? Will they provide the maximum security for my websites? Thanks, Leon. Quote Link to comment Share on other sites More sharing options...
SyLon Posted December 7, 2007 Author Share Posted December 7, 2007 Anyone?? :'( :'( :'( Thanks. Quote Link to comment Share on other sites More sharing options...
Aureole Posted December 7, 2007 Share Posted December 7, 2007 For user input I just use htmlentities($var, ENT_QUOTES); I think that's one of the best things you can do... if all their " get turned into " etc. then they can't really do anything, can they? Anyone feel free to correct me however if I'm wrong. Quote Link to comment Share on other sites More sharing options...
SyLon Posted December 7, 2007 Author Share Posted December 7, 2007 So it would look like this? function _INPUT($name) { if ($_SERVER['REQUEST_METHOD'] == 'GET') //return mysql_real_escape_string(strip_tags($_GET[$name])); return mysql_real_escape_string(htmlentities($_GET[$name], ENT_QUOTES)); if ($_SERVER['REQUEST_METHOD'] == 'POST') //return mysql_real_escape_string(strip_tags($_POST[$name])); return mysql_real_escape_string(htmlentities($_POST[$name], ENT_QUOTES)); } Also, what do you think about the _STR function? Thanks, Leon. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.