Simple but effective user input securing
Listed In PHP and MySQL » Security — Viewing Full Tutorialstriptags() and then to use htmlspecialchars(). Well, they're not only illogical but they're also telling you insufficient information.Illogical because:
striptags() removes html characters like < and > to make the input safe to display. Then htmlspecialchars() turns them into their ascii equivalents (i.e. a space is ).So.. you are removing them and then securing them. Obviously that plan is flawed since there's nothing to secure if it doesn't exist :)
So, just
htmlspecialchars() will do.However, this is insufficient because:
It doesnt help against SQL injections because these don't always require HTML. They are just affecting MySQL, not the browser.
So solution:
Once you have the user input in a variable (here we use $input) like this:
$input = htmlspecialchars($input); //$input will now contain the ascii equivalents to all html chars like <
$input = addslashes($input); //this will add slashes to negate the effect of an sql injectionYou would then insert $input into a database. It is now safe..
BUT
It has some slashes in funny places that negate SQL queries (but also where there is no SQL query)
So after extracting $input from the database, we must do this to print it:
$input = stripslashes($input); //this now removes all the funny slashes. BUT the code is still safe for a browser
print $input;
This will protect you against SQL injection and stop people from exploiting your site with Javascript or funny HTML effects (i.e. they cant make popups or redirects)
