sanitizing form data with PHP for MYSQL

[woocha]

Hey guys,

  when I have a form that populates a mySQL db is it more advised to use strip_tags() or mysql_real_escape_string() or maybe both?

 

DOES ANYONE HAVE A TRUELY GREAT FUNCTION TO REALLY SECURE ALL FORMS????

[kenrbnsn]

You should use mysql_real_escape_string() when inserting data into a mysql database. Tags don't mean anything to the database. You may want to use strip_tags() or htmlentities() when display data back to the screen so th browsers don't try to interpret the data as HTML.

 

Ken

[woocha]

I tried this bit of code and it returned empty

$string = mysql_real_escape_string($string);

 

did I do something wrong?

[kenrbnsn]

We need to see more of your code to determine what went wrong.

 

Please surround your code with

tags.

 

Ken

[priti]

I tried this bit of code and it returned empty

$string = mysql_real_escape_string($string);

 

did I do something wrong?

 

If you are not using mysql_real_escape_string is it working????

 

if so then check your php version if not wrong then this is working in >=4.3 version of PHP.

 

Regards

[Northern Flame]

try this:

 

$new_string = mysql_real_escape_string($string);

[haku]

If you want something that will help you create secure forms with little coding effort, you should check out the pear html quickform class. There is a great tutorial here that shows you how to do it.

 

Only setback is that it outputs everything in tables.

[tibberous]

Ken is right. I wouldn't worry about learning a class to handle this, because...

 

1) there are really only like three functions you need to use

2) you should understand the principles behind it

3) if you freelance, or work in a team, or use code other people have written, it's probably going to be done the 'basic' way