Reputation: 7243
How could I make this PHP $_POST more secure? -Or is it secure already?
On most my $_post data inputted on my site I use the following php:
$example = $_POST['textfield'];
$example = strip_tags($example);
$example = mysql_real_escape_string($example);
And then I would interact with the MySQL database...
Is this 'secure' / 'safe'?
Any major exploits to the above code?
-How could I make it secure?
Upvotes: 1
Views: 1512
Answers (3)
Reputation: 11999
While mysql_real_escape_string() protects against SQL-injection, still unwanted behavior might exist.
Note, that mysql_real_escape_string() does not escape % or _.
Thus, if a user enters e.g. % in a posted form field, a LIKE where clause may return much more data than intended.
See final hint in PHP manual here.
Upvotes: 1
Reputation: 4773
mysql_real_escape_string makes it quite safe
it always depends on what you want to do with the values. eg. you dont wan't to strip_tags a password, you should just MD5 it. If your storing it to be displayed on another page, you should use html_specialchars to dissable -hacking
and sometimen you should validate is an input is an integer, if it doesn't conatin numbers, if the is no A in it,...
so it realy depends
Upvotes: 1
Reputation: 43850
One last thing to do is to validate the data:
you can check if its an empty string? a number? or whatever data type you are expecting. example if you are expecting an email, you can use regex to confirm that it is an actual email.
Upvotes: 4
Related Questions
- $_POST security for PHP Webservice
- Insecure form post value validating
- PHP POST security
- Bare minimum to secure a PHP form
- is $_POST really safe?
- Flaws in attempt at securely sending post data with PHP
- PHP: Conditionals Security with $_POST
- php make posts safe
- PHP security forms _POST
- is this at least mildly secure php code?