Page 1 of 1

Best PHP security for MySql injection, XSS,...?

Posted: Thu Jan 20, 2011 12:01 pm
by ExSilencer
I was searching around for some good security regarding forms in PHP which data is then written to MySql.

I get some value from URL or form this way:
$something = $_GET['something']; or $something = $_POST['something'];

This can be exploited then by mysql injection and XSS,... right?

Well I was searching for best solution for that and I am wondering if I use this code, will it be OK?

$something = mysql_real_escape_string(htmlspecialchars(stripslashes(strip_tags($_GET['something']))));

Or should I use them seperatly?

Re: Best PHP security for MySql injection, XSS,...?

Posted: Thu Jan 20, 2011 1:01 pm
by AbraCadaver
Depends on what you are doing, displaying data, inserting data into the database and what is acceptable. Normally you would use htmlentities() when displaying data to make sure there is no HTML/Script data. You should always use mysql_real_escape_string() when inserting into the database. You only need stripslashes() on user data (POST, GET, etc.) if your server uses magic_quotes. You only need to use strip_tags() if you are positive that you don't want any HTML.

Example:

Code: Select all

// store in db
    if(get_magic_quotes_gpc()) {
        $var = stripslashes($var);
    }
    $var = mysql_real_escape_string($var);

// display when HTML not needed
    $var = htmlentities($var);