form protection
Posted: Thu Oct 07, 2010 4:14 am
Hello
I create PHP form where my users can post ads.
I know that it can constitute to break-in and that is way we are using: "htmlspecialchars()" and "mysql_real_escape_string()" and "stripslashes()". The problem is that I don't know where to use ach one of them
if the input is "name" (<input type='text' name='name' />), so how should the POST be?
like this:
$name = htmlspecialchars($_POST['name']);
or like this:
$name = mysql_real_escape_string($_POST['name']);
or mabe like this:
$name = Trim(stripslashes($_POST['name']));
?
What about the print to the screen - the stage where I get the data from the SQL:
Should it be :
$name= htmlspecialchars($index['name']);
or like this:
$name = mysql_real_escape_string($_POST['name']);
or mabe like this:
$name = Trim(stripslashes($_POST['name']));
?
Thanks for advance!
I create PHP form where my users can post ads.
I know that it can constitute to break-in and that is way we are using: "htmlspecialchars()" and "mysql_real_escape_string()" and "stripslashes()". The problem is that I don't know where to use ach one of them
if the input is "name" (<input type='text' name='name' />), so how should the POST be?
like this:
$name = htmlspecialchars($_POST['name']);
or like this:
$name = mysql_real_escape_string($_POST['name']);
or mabe like this:
$name = Trim(stripslashes($_POST['name']));
?
What about the print to the screen - the stage where I get the data from the SQL:
Code: Select all
$query = mysql_query("SELECT * FROM `sells` ");
$index = mysql_fetch_array($query);
$name= $index['name'];$name= htmlspecialchars($index['name']);
or like this:
$name = mysql_real_escape_string($_POST['name']);
or mabe like this:
$name = Trim(stripslashes($_POST['name']));
?
Thanks for advance!