Hi,this is step for save any data to database of me,
Data(from browser) -> $Data = mysql_escape_string(strip_tags($_POST[‘Data’]));
i do it every form: register,post,every form if it have submit button
What do you think about it?
Well, I’ve found strip_tags() doesn’t always work properly and it really matters more what you do with the data when you retrieve it from the database later on. Always assume any user input is someone attempting to hack your system. That includes data you retrieve from your database - typically to process and display. I usually wrap displayed text with htmlspecialchars(), which takes care of most problems that crop up.
mysql_escape_string() isn’t something I use. I usually use database wrappers like Pear::DB/Pear::DB2 or a class that manages database access. Most database wrappers abstract away variable safety.
Personally, I wouldn’t necessarily run strip_tags() prior to database insertion for every single variable because that causes data loss. It really depends on what the data is for though.