CloudSex13 Posted October 27, 2010 Share Posted October 27, 2010 Hi all, Thanks for reading. I'm developing my first website with user registration, login, and account settings, and I was wondering what the best way would be to prevent the site from security flaws, SQL injection, etc. I've read up on it, but, as an example, would the following be suitable? $username = trim(stripslashes(mysql_real_escape_string($_POST['username']))); I guess what I'm asking is, is the above normal? Is there a simpler way to make input from the user secure? Thank you. Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted October 27, 2010 Share Posted October 27, 2010 what I do to request values that are going into the database: $somevar = trim($_POST['somevar']); // trim off extra space if (get_magic_quotes_gpc()) { // if magic_quotes is turned on, strip slashes $somevar = stripslashes($somevar); } $somevar = mysql_real_escape_string($somevar); // $somevar is safe for database by the way, don't put stripslashes() around mysql_real_escape_string, because stripslashes will strip the slashes out that mysql_real_escape_string puts in. Quote Link to comment Share on other sites More sharing options...
AbraCadaver Posted October 27, 2010 Share Posted October 27, 2010 You only want to stripslashes() if you have magic_quotes_gpc enabled and in your example you are possibly adding slashes with mysql_real_escape_string() and then immediately stripping them. You could probably do something like this: if(magic_quotes_gpc()) { $_POST = array_map('stripslashes', $_POST); } $_POST = array_map('mysql_real_escape_string', $_POST); Beat me to it! So I will also add the trim: $_POST = array_map('mysql_real_escape_string', array_map('trim', $_POST)); Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted October 27, 2010 Share Posted October 27, 2010 ^ much more concise. i need to remember to use array_map. Quote Link to comment Share on other sites More sharing options...
CloudSex13 Posted October 27, 2010 Author Share Posted October 27, 2010 BlueSkyIS, AbraCadaver: Brilliant replies - thank you kindly for the suggested feedback! Additionally, the PHP.net manual seems to state that Magic Quotes are now deprecated. Is this still the most efficient way to manage secure POST variables? I'm sure I'm just missing something, as my knowledge with "Magic Quotes" is limited. Ref: http://php.net/manual/en/security.magicquotes.php Thank you again. Quote Link to comment Share on other sites More sharing options...
AbraCadaver Posted October 27, 2010 Share Posted October 27, 2010 It's deprecated as of 5.3, so if you will only be running 5.3+ then there is no need to worry about this. Quote Link to comment Share on other sites More sharing options...
CloudSex13 Posted October 28, 2010 Author Share Posted October 28, 2010 Thanks very much! I now understand. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.