safe data (validation on form) [Archive]

Click to See Complete Forum and Search --> : safe data (validation on form)

Bobby_S

03-12-2005, 08:53 AM

hi all, :)

tell me, is this safe, or can I (or MySQL) still be harmed:

- I have register_globals OFF
- all input variables are checked like this:

$var = htmlspecialchars ($_POST[$var]);

before put into the DB.

How do you guys validate input and secure your DB?

thx!!

ShrineDesigns

03-12-2005, 01:34 PM

adding slashes or using mysql_escape_string() is a good ideaforeach($_POST as $k => $v)
{
$_POST[$k] = (!get_magic_quotes_gpc()) ? addslashes($v) : $v;
}

AdamGundry

03-12-2005, 01:38 PM

Another tip is to accept user input as an integer where possible, then convert it with intval(). The basic principle is to choose what users are allowed to enter, rather than trying to disallow all dangerous stuff.

Adam

bokeh

03-12-2005, 01:48 PM

"magic quotes GPC on" can also help neutralise bogus form data.

ShrineDesigns

03-12-2005, 02:10 PM

Originally posted by bokeh
"magic quotes GPC on" can also help neutralise bogus form data. magic_quotes_gpc automatically adds slashes to $_GET, $_POST, and $_COOKIE data