On Thu, 05 Aug 2004 03:11:33 +0200, Jordi Canals <[EMAIL PROTECTED]> wrote: > Hi all, > > I have some forms on which user must enter some data. This data is > sometimes used to be inserted/updated in the database, and sometimes to > query it with a SELECT. > > The scripts that do that, does not accept html code to be entered. I > think with that we have some issues solved. > > My way for doing it is: > > Have magic_quotes_gpc = ON (Info is automatically slashed when received > by the script) If magic_quotes_gpc is off at the server, I manually > apply addslashes() to the entered data. > > Also, I pass the entered data with strip_tags() and htmlspecialchars() > > The code is something like that: > > $uservar = $_POST['uservar']; > $uservar = htmlspecialchars(strip_tags($uservar)); > $securevar = (magic_quotes_gpc) ? $uservar : addslashes($uservar); >
Here's a better solution. Turn off magic quotes, take out the addslashes, and use your DB's quoting function. For mysql, this is mysql_quote_string() or mysql_real_quote_string(). If you're using PEAR::DB, it's as easy as: $db->quoteSmart(). You can/should apply those to all data you pur in a query to make sure that it won't screw anything up. If you use intval, you don't actually need the quoting. > When the expected value is an INT, just apply intval(): > > $securevar = $intval($uservar); > > Well, I'd like to know if this can be considered secure enough to pass > the $securevar to the database, or I should consider something more to > be checked before. > > Any help or comment will be really usefull. > -- DB_DataObject_FormBuilder - The database at your fingertips http://pear.php.net/package/DB_DataObject_FormBuilder paperCrane --Justin Patrin-- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
