Reputation: 21
How much sanatization does this form input need?
Is
$username = $_POST['username'];
$sanitizedUsername = strip_tags(stripcslashes($username));
enough to prevent malacious sql injections and other types of attacks. If not what else should I use?
P.S. I want to allow users to choose usernames and passwords that contain alphanumeric, space and symbol characters (except those like quotes or asterisks that are used in mysql statements).
Upvotes: 2
Views: 140
Answers (3)
Reputation: 3840
If you'r environment allows it, always use parametrized queries to avoid SQL injection http://pl.php.net/manual/en/mysqli.prepare.php
Upvotes: 2
Reputation: 21003
Use string mysql_real_escape_string ( string $unescaped_string [, resource $link_identifier ] )
http://www.php.net/mysql_real_escape_string
Upvotes: 1
Reputation: 17977
When you insert into the database, use:
mysql_real_escape_string($_POST['username']);
When you are outputting to HTML, use:
htmlspecialchars($_POST['username']);
Upvotes: 2
Related Questions
- Sanitizing form data in PHP
- PHP - Properly validate and/or sanitize form input
- Sanitize User Input via PHP
- input sanitization VS validation
- When don't you sanitize data?
- Sanitizing Form Input for administrators
- Sanitizing user input, is it safe?
- PHP sanitisation for user input
- PHP: Advice regarding how user input is "immunized"
- sanitizing pre-filled user-supplied form input