SitePoint Sponsor

User Tag List

Results 1 to 3 of 3

Thread: Is this secure

  1. #1
    SitePoint Guru mmarif4u's Avatar
    Join Date
    Dec 2006
    Location
    /dev/swat
    Posts
    619
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Is this secure

    Hi guys,,,

    I a have a form where user input thier details.
    That input will be stored in the db.
    So i have this security buffer for the post values...
    Is this secure r not, if not how to make it more secure.
    PHP Code:
    $name=mysql_real_escape_string(htmlentities($_POST['nmanme'])); 
    Thanks.

  2. #2
    SitePoint Enthusiast
    Join Date
    Dec 2005
    Posts
    53
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Only use htmlentities when you output a variable into html. So to start with get rid of that.

    Now with mysql_real_escape_string() you first need to work out if magic_quotes is on or not. If magic quotes is off then yes that is the correct way to escape variables before inserting in an sql statement. If magic_quotes is on however you will end up escaping twice and you will see double backslashes in your data, so it will be obvious if it is on. The best thing to do if it's on is to disable magic_quotes and make sure you escape all variables before you use them to create sql.

    Now later on you might get this data out of the database and use it in html, this is the time to call htmlentities()

    Additionally it's a very good security practice to validate ALL input data before you do anything with it. So basically check it's of a reasonable length and is of a format you expect. regular expressions are very handy for this.

  3. #3
    SitePoint Guru mmarif4u's Avatar
    Join Date
    Dec 2006
    Location
    /dev/swat
    Posts
    619
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for ur reply...
    Yeh i find it very good comments.
    Yeh i am using regular expressions also, bcoz this form i want to secure
    in any respect thats why i use every security measures for it.

    Another it means that to insert data to db use mysql_real_escape_string
    For retrieving data use htmlentities r u want to say this.

    if i use regular expressions,is it enough for more security.
    That a user cannot enter malicious data to the db.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •