Folks,
Is it really necessary to filter user inputs to my webform using the stripslashes and striptags PHP functions since user inputs will be dumped to my MySql dB using prepared statements ?
Even though I will be using prepared statements, should I still code like the following a filter to filter the user inputted data before dumping the data to my MySql dB using prepared statements ? That is the big question tonight.
[code]
<?php
// define variables and set to empty values
$name = $email = $gender = $comment = $website = “”;
if ($_SERVER[“REQUEST_METHOD”] == “POST”) {
$name = test_input($_POST[“name”]);
$email = test_input($_POST[“email”]);
$website = test_input($_POST[“website”]);
$comment = test_input($_POST[“comment”]);
$gender = test_input($_POST[“gender”]);
}
function test_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
?>
Or maybe I should just use the htmlspecialchars() filter only here ?