Hi all,
I have some forms on which user must enter some data. This data is sometimes used to be inserted/updated in the database, and sometimes to query it with a SELECT.
The scripts that do that, does not accept html code to be entered. I think with that we have some issues solved.
My way for doing it is:
Have magic_quotes_gpc = ON (Info is automatically slashed when received by the script) If magic_quotes_gpc is off at the server, I manually apply addslashes() to the entered data.
Also, I pass the entered data with strip_tags() and htmlspecialchars()
The code is something like that:
$uservar = $_POST['uservar']; $uservar = htmlspecialchars(strip_tags($uservar)); $securevar = (magic_quotes_gpc) ? $uservar : addslashes($uservar);
When the expected value is an INT, just apply intval():
$securevar = $intval($uservar);
Well, I'd like to know if this can be considered secure enough to pass the $securevar to the database, or I should consider something more to be checked before.
Any help or comment will be really usefull.
Regards, Jordi Canals
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
