For input sanitizing, and this will be helpful to anyone who writes code,
listen to dan kaminsky's keynote at "The Next Hope". He did a very good job
at explaining the landscape of web programming and the essence of SQL
injection and XSS, as well as proposed pretty neat ways to fix these.

If you are writing the app from scratch, to prevent SQL injection, use
Mysqli + prepared statements... or implement the base64 hack, or i am
working on a library to simplify and secure mysql in php for some of my
work, though it's got a few implementation quirks it does fail by default,
it does not allow you to insecurely interpolate, and it does use prepared
statements for everything, i am sharing it with anyone who wants to look at

Anyways, here's a direct link:


The trouble with programmers is that you can never tell what a programmer is
doing until it’s too late.  ~Seymour Cray

On Wed, May 18, 2011 at 9:18 PM, Jason Pruim <>wrote:

> Hey Everyone,
> Probably a simple question but I wanted to make sure I was right before I
> got to far ahead of my self....
> I have a form that I am working on and this form will be emailed to the
> recipient for processing (Not stored in a database).
> When I store in a database, I simply run all the data through
> mysql_real_escape_string() and it's all good...  Without the database, is it
> just as easy as addslashes($var)? or is there more that needs to be done?
> In the end, the info will be echoed back out to the user to be viewed but
> not edited and emailed to someone to add the registration collect money, etc
> etc.
> Am I on the right track or do I need to rethink my whole process? :)
> Thanks Everyone!
> --
> PHP General Mailing List (
> To unsubscribe, visit:

Reply via email to