| SitePoint Sponsor |
Hi guys,,,
I a have a form where user input thier details.
That input will be stored in the db.
So i have this security buffer for the post values...
Is this secure r not, if not how to make it more secure.
Thanks.PHP Code:$name=mysql_real_escape_string(htmlentities($_POST['nmanme']));
Only use htmlentities when you output a variable into html. So to start with get rid of that.
Now with mysql_real_escape_string() you first need to work out if magic_quotes is on or not. If magic quotes is off then yes that is the correct way to escape variables before inserting in an sql statement. If magic_quotes is on however you will end up escaping twice and you will see double backslashes in your data, so it will be obvious if it is on. The best thing to do if it's on is to disable magic_quotes and make sure you escape all variables before you use them to create sql.
Now later on you might get this data out of the database and use it in html, this is the time to call htmlentities()
Additionally it's a very good security practice to validate ALL input data before you do anything with it. So basically check it's of a reasonable length and is of a format you expect. regular expressions are very handy for this.
Thanks for ur reply...
Yeh i find it very good comments.
Yeh i am using regular expressions also, bcoz this form i want to secure
in any respect thats why i use every security measures for it.
Another it means that to insert data to db use mysql_real_escape_string
For retrieving data use htmlentities r u want to say this.
if i use regular expressions,is it enough for more security.
That a user cannot enter malicious data to the db.
Posting Permissions
Bookmarks