SidewinderX wrote:So you suggest not using stripslashes and htmlentities before entering data into a mysql database.
I would recommend stripslashes()'ing when inputting into the database only because typically this is an unwanted affect from magic quotes. Different environments obviously have different php settings so it should generally be common practce to apply stripslashes()
Assuming I'm expecting a string to be inputed - that leaves mysql_real_escape_string as the only "input" protection, which allows for XSS.
When inputting into your database we do not care about XSS, we care about SQL injection. The goal of mysql_real_escape_string() it to prevent that kind of attack (as well as legitamate strings that may contain characters that will affect our query unintentionally). On the other hand, if you are expecting a numerical input, you can replace mysql_real_escape_string() with typcasting (int) or intval()
Is it wise to use some other kind of "input" protection, or use striptags in the "output?"
It is my preference to stripslashes() on input to have to avoid a seperate step to acheiving clean output. Although, htmlentities should almost always be applied to any output, to prevent XSS as well as generating valid markup.