Public Web Form Security

middleman666

Hey people,

I'm building a public webform that anyone can use, but I'm unsure about the security measures I should take when handling the data people submit.

At the moment I have a field and I do the following with it before submitting it to a database:

$text = $_POST['text'];
$text  = htmlspecialchars($text );
$text  = stripslashes($text );

Is that enough to keep my form secure? or should I be doing a whole lot more?

Thanks.

Piranha

You should use [man]mysql_real_escape_string[/man] if you use php4 and prepared statements if you use php5. htmlspecialchars should not be used when you insert into the database, it should be used when outputting data in the html page.

middleman666

Thanks for the reply.

If I use mysql_real_escape_string when submitting to the database and only use htmlspecialchars when reading the data out, should I also only use stripslashes when reading from the database?

Piranha

No. With mysql_real_escape_string the data is stored without the slashes.

But if you have magic_quotes on then you should use stripslashes first and then mysql_real_escape_string.

middleman666

I'm not sure if magic_quotes is on or not as its shared hosting.

At the moment I'm using mysql_real_escape_string before submitting to the database and then using htmlspecialchars and then stripslashes before reading it out onto the webpage. - This seems to be working fine, could you tell me what the problem is with doing it this way?

Is it just the fact that I have to use stripslashes everytime I want to read out the data?

Piranha

I think that information regarding this is in the manual[/man].