validating form input

Prev: MSSQL failing.
Next: Last day to submit your Surge 2010 CFP!

From: David Mehler on 8 Jul 2010 15:38

---

Hello,
Got a form that takes in data to enter in to a database. I want to
make it as secure and as invulnerable to sql injection and other
attacks as possible. I'm wondering if mysqli_real_escape_string or
stripslashes should be used or if the former does the latter. For
example, I have a name variable:

$name = mysqli_real_escape_string($DatabaseLink, trim($_POST['name']));

or should I do:

$name = stripslashes(mysqli_real_escape_string($dbc, trim($_POST['name'])));

Thanks.
Dave.

From: Michael Shadle on 8 Jul 2010 16:35

---

On Jul 8, 2010, at 12:38 PM, David Mehler <dave.mehler(a)gmail.com> wrote:

> Hello,
> Got a form that takes in data to enter in to a database. I want to
> make it as secure and as invulnerable to sql injection and other
> attacks as possible. I'm wondering if mysqli_real_escape_string or
> stripslashes should be used or if the former does the latter. For
> example, I have a name variable:
>
> $name = mysqli_real_escape_string($DatabaseLink, trim($_POST['name']));

This would work. Escaping the string should be all you need. As long as you use single quotes for wrapping the column values. Double quotes not sure but shouldn't be using those anyway.

>
> or should I do:
>
> $name = stripslashes(mysqli_real_escape_string($dbc, trim($_POST['name'])));

No... You'd be adding slashes and then removing them here :p


>
> Thanks.
> Dave.
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>

From: Shawn McKenzie on 9 Jul 2010 11:18

---

On 07/08/2010 02:38 PM, David Mehler wrote:
> Hello,
> Got a form that takes in data to enter in to a database. I want to
> make it as secure and as invulnerable to sql injection and other
> attacks as possible. I'm wondering if mysqli_real_escape_string or
> stripslashes should be used or if the former does the latter. For
> example, I have a name variable:
>

In general this is fine:

> $name = mysqli_real_escape_string($DatabaseLink, trim($_POST['name']));
>
> or should I do:

You need to do something like this only if magic_quotes are enabled on
your PHP installation, except you would stripslashes first:

if(get_magic_quotes_gpc()) {
$_POST['name'] = stripslashes($_POST['name']);
}
$name = mysqli_real_escape_string($DatabaseLink, trim($_POST['name']));

>
> $name = stripslashes(mysqli_real_escape_string($dbc, trim($_POST['name'])));
>
> Thanks.
> Dave.


--
Thanks!
-Shawn
http://www.spidean.com

 | 
Pages: 1
Prev: MSSQL failing.
Next: Last day to submit your Surge 2010 CFP!