Isityou Posted February 20, 2008 Share Posted February 20, 2008 When I sanitize user input, is mysql_real_escape_string() all I need to cover my ass? If theres anything else I should sanitize please do tell me. Link to comment https://forums.phpfreaks.com/topic/92113-security-question/ Share on other sites More sharing options...
tinker Posted February 20, 2008 Share Posted February 20, 2008 It depends upon what the input is for... login, blog, etc... Heres a few useful functions you might like to search the manual for: htmlentities, htmlspecialchars, strip_tags Link to comment https://forums.phpfreaks.com/topic/92113-security-question/#findComment-471717 Share on other sites More sharing options...
Isityou Posted February 20, 2008 Author Share Posted February 20, 2008 SQL Input, HTML input (does it validate javascript?), and any other situation you can think of. Link to comment https://forums.phpfreaks.com/topic/92113-security-question/#findComment-471718 Share on other sites More sharing options...
aschk Posted February 20, 2008 Share Posted February 20, 2008 As a rule, filter input, escape output. note the latter, ESCAPE OUTPUT. Meaning when you put things back out to the browser make sure you use something like htmlentities so that any scripting tags get turned into their respective encodings. Link to comment https://forums.phpfreaks.com/topic/92113-security-question/#findComment-471723 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.