Re: PHP Form Security
Posted: Thu Jun 23, 2011 11:39 am
As per magic quotes :
And from the manual under User Submitted DataThe Manual wrote:This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged.
For simple input you should look at validating the type of input received, if it's written to a database use something like mysql_real_escape_string() and if the data will be displayed use htmlentities(), with ENT_QUOTES to make any html characters safe for display. (And stripslashes() for any remainining slashes)The Manual wrote:You may also want to consider turning off register_globals, magic_quotes, or other convenience settings which may confuse you as to the validity, source, or value of a given variable. Working with PHP in error_reporting(E_ALL) mode can also help warn you about variables being used before they are checked or initialized (so you can prevent unusual data from being operated upon).