Isityou Posted February 20, 2008 Share Posted February 20, 2008 When I sanitize user input, is mysql_real_escape_string() all I need to cover my ass? If theres anything else I should sanitize please do tell me. Quote Link to comment Share on other sites More sharing options...
tinker Posted February 20, 2008 Share Posted February 20, 2008 It depends upon what the input is for... login, blog, etc... Heres a few useful functions you might like to search the manual for: htmlentities, htmlspecialchars, strip_tags Quote Link to comment Share on other sites More sharing options...
Isityou Posted February 20, 2008 Author Share Posted February 20, 2008 SQL Input, HTML input (does it validate javascript?), and any other situation you can think of. Quote Link to comment Share on other sites More sharing options...
aschk Posted February 20, 2008 Share Posted February 20, 2008 As a rule, filter input, escape output. note the latter, ESCAPE OUTPUT. Meaning when you put things back out to the browser make sure you use something like htmlentities so that any scripting tags get turned into their respective encodings. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.