2 replies to this topic

[.CJ]

Hey all,

Got a question for you.

I've read a lot of articles on security before I began development on my new project, and after a lot of reading, I saw that both htmlspecialchars() and mysql_real_escape_string() are both good for stopping SQL injections and XSS attacks.

So I put the two together to get this function:

//--------------------
// Security Function for inputs
//--------------------
function escape($str) {
	return htmlspecialchars(mysql_real_escape_string($str));
}

Then I use them when using POST and GET, ect.

Just out of curiosity, as I know there are some good PHP developers here... is this a good function to use? Any input or enhancements on this would be good to hear.

Look forward to a reply.

- Chris.

[Mr. Matt]

yea its a good idea to pass all the vals being used on a database through those functions via one easy and short function to remember.

So simply for doing some securing on the data that is good, you can take it further to check what you are getting to make sure that it is valid.

Matt

[rc69]

If you plan on distributing this, you should probably use get_magic_quotes_gpc().

If not, then you should probably check your server settings for it and then replace mysql_real_escape_string() with addslashes(). The mysql function should only be used on input that will be used in an SQL query. It doesn't make sense to use it on something you plan on just echoing back out.