Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 2 of 2
  1. #1
    Regular Coder
    Join Date
    Oct 2011
    Posts
    237
    Thanks
    11
    Thanked 5 Times in 5 Posts

    is this to much sanitising?

    Hi guys

    I was just wondering if i was being a little over the top.

    With all post variables, even the <select> posts i am using this, i have setup a function so i do not have to code this on ever post but you will get my gist!

    PHP Code:
    <?php
    $name 
    trim(strip_tags(htmlentities($_POST["name"])));
    $name_secure mysql_real_escape_string($name_secure);
    ?>
    The reason i ask is if this is to much for a common form then its un-needed code which doesn't need to be there.

    Or do i need to do more on the front of other hacks within form submittion and url injection etc.

  • #2
    Senior Coder
    Join Date
    Jul 2011
    Posts
    1,226
    Thanks
    3
    Thanked 171 Times in 171 Posts
    All those functions perform different tasks, not all of them for security reasons.

    trim removes whitespace, so its an aesthetic function more than anything. strip_tags removes markup tags, for information you want displayed without html. htmlentites replaces markup characters (like < and > for example) for displaying the html code as plain text, making the strip tags after it redundant. mysql_real_escape_string escapes characters that break out of queries (like ') to prevent mysql injection.

    So to answer your question, it depends entirely on the effect you want on the input and output, although mysql_real_escape_string is essential for DB queries.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •