Page 1 of 1

sanitizing a guestbook

Posted: Sat Jun 02, 2007 11:45 am
by bobo12
I'm making a guestbook and for the most part I'm finished. The only thing I need to do know is make sure it's safe from attacks (which I don't think it's 100% safe).
Functions include adding a comment with name, email, homepage, comment and a no spam question must be answered. There is a database and an admin control panel that allows the admin to edit/delete comments and change a bunch of site parameters.

My question is where do I properly use htmlspecialchars and where do I use addslashes, etc? I've heard htmlspecialchars is only used when output information like <input type=text value="<?php echo $something; ?>">

Thanks!

Posted: Sat Jun 02, 2007 3:55 pm
by feyd
  1. htmlspecialchars() is to be used when sending any user input data to the browser. Yes, any, unless you know exactly what you're doing.
  2. addslashes() should never be used, ever.

Posted: Sat Jun 02, 2007 6:28 pm
by bobo12
okay, i get the htmlspecialchars(), but what about cleaning up post variables the user submits like username, password, comment, name, etc? These will be inserted into a database and I'm sure sql injection is a possibility.

THanks.

Posted: Sat Jun 02, 2007 6:34 pm
by John Cartwright
Apply mysql_real_escape_string() and trim() on all incomming data and you should be protected from SQL injection.

Posted: Sun Jun 03, 2007 6:39 pm
by bobo12
Jcart wrote:Apply mysql_real_escape_string() and trim() on all incomming data and you should be protected from SQL injection.
Thanks. Should I htmlspecialchars() all my post vars before putting them in the database or do that when I'm outputting to the screen?... I would think doing it before I add the info to the database would be the best. What about you?

Posted: Sun Jun 03, 2007 8:41 pm
by feyd
The answer to that is specified in my previous reply.