Page 1 of 1

Fixing Input

Posted: Wed Dec 27, 2006 2:12 pm
by timclaason
I want to make sure to fix all input from a <TEXTAREA> and text inputs. The data in the post will be going into a mySQL database.

Is there a preg_replace() or some other industry standard that is best to use, or are there multiple functions I should use.

Obviously, the general idea is to prevent backslashes, single quotes, double quotes, etc from causing the code to error out (I don't really have much control over the php.ini), and also to prevent injection and other forms of attack.

Any feedback would be greatly appreciated.

Posted: Wed Dec 27, 2006 2:16 pm
by feyd
mysql_real_escape_string() takes care of most issues.

mysql_real_escape_string

Posted: Wed Dec 27, 2006 2:21 pm
by timclaason
I probably overstated the concern about attacks. It's an internal app, that only 4 or 5 people are using. It's about 100 times more likely to have weird input than it is to be hacked. But the likelihood of there being a slash or single quote is very high.

Is myslq_real_escape_string still the best solution?

PS Thanks for the quick reply

Posted: Wed Dec 27, 2006 2:41 pm
by feyd
Unexpected values are handled by your code. How is up to you.

As for slashes and quotes... you'll just have to try the function. ;)