Php server validation?

Hello All,
I m working on a website and i did client side validation using jQuery. but now i wanna do server validation. i m not sure what does it mean. but i know mysql_real_escape_string and has been using it. so i wanted to know what is server validation and what should i use. is mysql_real_escape enough?

If you google for it, or do a search in this forum, you’ll finds lots of explanations and tutorials. This question has been asked many times before.

Anyway, validation is validation. All data that arrives at the server from “outside” (user input, external sites, ecc) should be checked before you use it in any way. That also means that any checks you did client side have to be redone server side, because you can never be sure the user didn’t bypass the client side checks.

mysql_real_escape_string() is very useful to prevent mysql injection through strings if you use the mysql_ functions (if you use PDO for example there’s no need for it because that part of validation is taken care of by PDO).

i was just checking with a mysql_real_string_escape function, i entered word ‘Extra"s’ and it inserted it. how does it work?

nofel,

Try using mysql_real_escape_string (notice the order of the words).

The documentation is located at http://us.php.net/manual/en/function.mysql-real-escape-string.php

here is my code

<?php
    function mysql_prep( $value ) {
        $magic_quotes_active = get_magic_quotes_gpc();
        $new_enough_php = function_exists( "mysql_real_escape_string" );
        if( $new_enough_php ) {
                    if( $magic_quotes_active ) { $value = stripslashes( $value ); }
                    $value = mysql_real_escape_string( $value );
                } else { 
                    if( !$magic_quotes_active ) { $value = addslashes( $value ); }
        }
        return $value;    
    }
?>

and here i m applying


mysql_prep($obj->dealer_name = pv($_POST['dealer_name']));

but in database, all / and “” and ’ get inserted. i wonder what am i doing wrong. how can i check?

Probably a much better idea is to use filter_input
http://www.php.net/manual/en/function.filter-input.php

If you try to escape a string which contains signs such as ’ or " and it doesnt work, check your website/file charset! Maybe it is NOT utf-8