Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    New Coder
    Join Date
    Jan 2013
    Posts
    74
    Thanks
    19
    Thanked 1 Time in 1 Post

    Best Security Measures on User Input

    On a form where users can input information, is it best to use strip_tags or use htmlentities or do both?

    Also, is it necessary to filter the output on a form? For instance if all fields are required and they leave one field empty, then all the info they previously input is now displayed in the form fields again - should this be filtered going out as well?

  2. Users who have thanked cgdtalent for this post:

    salesmachine (02-08-2013)

  • #2
    New to the CF scene
    Join Date
    Feb 2013
    Posts
    2
    Thanks
    2
    Thanked 1 Time in 1 Post
    I think strip_tags will be the best measures for your category.

  • #3
    Regular Coder LearningCoder's Avatar
    Join Date
    Jan 2011
    Location
    The Pleiades
    Posts
    922
    Thanks
    76
    Thanked 29 Times in 29 Posts
    You could just use mysqli prepared statements, then when you want to display the data from the database to yourself or for whatever purpose, you could strip the tags then. I've always been told if you are re-displaying the data, then don't edit what the user has put. I used to strip all tags and as many 'special characters' as I could but was told to simply leave them in, then when you need to use that data, use those type of functions when re-displaying.

    So now I leave the data as it is, insert using a prepared statement, then strip certain tags out, but only a few. I'm still not 100% sure on the way to handle data which you re-display on your website.

    Regards,

    LC
    Last edited by LearningCoder; 02-08-2013 at 08:22 AM.

  • #4
    Regular Coder
    Join Date
    Oct 2011
    Posts
    237
    Thanks
    11
    Thanked 5 Times in 5 Posts
    I use PDO prepared statements to make sure input fields are safe.

    I use it for anything i am dragging from a website including when fetching data from the url.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •