[RESOLVED] htmlspecialchars() function & security

prkarpi

Hi all.

Can someone give some pointers in increasing security with outputting DB variables into HTML and also taking HTML INPUT data and inputting it into DB. I know htmlspecialchars() is one of the functions that must be implemented. Any other ideas or suggestions. Thanks.

dagon

output is not a security issue, but input is, at a minimum use mysql_real_escape_string()

prkarpi

Dagon thanks.

I have implemented some security steps as follows:

$userSTP = mysql_real_escape_string($_SESSION['user_id']);
$dbSTP = mysql_real_escape_string("" . dbOne . "");
$query = "SELECT " . varOne . ", " . varTwo . ", " . varThree . " FROM $dbSTP WHERE ID = '" . $userSTP . "'";

Any other suggestion or comments. Thanks again.