Page 1 of 1

probably simple questions

Posted: Tue May 29, 2007 1:11 pm
by ekosoftco
feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


i was just wondering if anyone could help me out with how to use
htmlentities()

and, for sql injection, i know its not a good topic to bring up, but is

Code: Select all

<?php 
$page= mysql_real_escape_string ($_GET['page']);
$res= mysql_query("SELECT FROM table_with_pages WHERE page_id='{$page}' LIMIT 1");
?>
the best way to be safe when querying a database?

and....are those two things all i have to worry about with xss and injection and is that the best way to be secure with the above examples?

and... :) is there any other securities i should worry about?


feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Tue May 29, 2007 2:27 pm
by feyd
htmlentities() and its cousin htmlspecialchars() have no baring on information going into a database. They would only be used on information coming out for display in an HTML page.

Provided you are consistent in how you write your queries (like right now) mysql_real_escape_string() is generally all you need to ensure there is no injection, however there is often added things such as filtering and validation which are field/data specific.