Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
// strip away any dangerous tags
// (my)sql does not care about
$user=strip_tags($user);
$pass=strip_tags($pass);
// remove spaces from variables
// (my)sql does not care about
$user=str_replace(" ","",$user);
$pass=str_replace(" ","",$pass);
// remove escaped spaces
// (my)sql does not care about
$user=str_replace("%20","",$user);
$pass=str_replace("%20","",$pass);
// add slashes to stop hacking
// might not be sufficient for (my)sql
$user=addslashes($user);
$pass=addslashes($pass);
// hash users password for security (32 chars random - md5)
// The characters returned by php 's md5() are safe for use in sql - but you cannot md5 everything
$pass=md5($pass);
reecec wrote:should i also be using mysql_escape_string