Page 1 of 1

Form submission to mysql and email

Posted: Wed May 06, 2009 12:04 am
by burnside
Hi,

I have data from a form and want to input it into mysql and also send that data to an email address. What is the best practice for formatting this data?

I believe when inserting the data into mysql, I should be mysql_real_escape_string(), correct? I've also heard of using htmlentities.

When sending an email, do I just send the data as is or should I do any pre-formatting?

I'm trying to avoid XSS and make this submission pretty secure of course. :wink:

Thanks again!
b

Re: Form submission to mysql and email

Posted: Wed May 06, 2009 3:59 pm
by david64
Best bet is to use the bindParam and bindValue methods in the PDO class as this automatically does escaping. Otherwise just use the real escape method.

See: http://www.php.net/pdo

Re: Form submission to mysql and email

Posted: Wed May 13, 2009 11:47 pm
by burnside
Thanks for your insight. Got it working nicely in the end!