I have an html form that will take data from a user and insert into a database. I want to protect against common attacks. Right now I'm using this to take the user input from $_post and store it in a new array $cleanVars

The data is just standard text and numerical data plus an email, so no urls or html formatted input (html should be stripped out).

I can't find any consistent recommendations on what needs to be used. Any recommentations on how to improve this:

[code=php]

foreach($_POST as $varname => $value)
{
$clean = trim($value);
$clean = striptags($clean);
$clean = mysql_real_escape_string($clean); // use inplace of addslashes
$clean = htmlentities($clean, ENT_QUOTES, 'UTF-8');
//create sanitized array
$cleanVars[$varname] = $clean;
}
[/code]

    Sorry this came out as a double post. ignore this one please

      As far as the database is concerned, mysql_real_escape_string() is all you need, then making sure that any non-numeric values are appropriately quoted. All the other stuff you did is for other purposes -- I'm not saying don't do them, but they don't affect the DB security. E.g.: htmlentities() is normally only needed when outputting the data to a browser, so you may not want to use it for data being input into the database, as it could make searching the DB more difficult, plus you risk making the text being inserted too long to fit into the column in question when it would, in fact, fit before applying htmlentities(). In any case, the mysql_real_escape_string() call should be the last thing applied after any other modifications before inserting it into the DB.

        PS: Also note that if you use the more up-to-date MySQLi extension, you can make use of prepared statements and place-holders for external values, which will automatically take care of escaping and quoting as needed (or you could also do that via the PDO extension).

          Since i don't want any html at all in the submission, the duplicate post changed the code to:

           foreach($_POST as $varname => $value)
        {
        $clean = trim($value);
        $clean = striptags($clean);
        $clean = mysql_real_escape_string($clean); // use inplace of addslashes
//create sanitized array
        $cleanVars[$varname] = $clean;
        }

          So I removed html entities, which was redundant anyway, since I already stripped tags.

          PS: Also note that if you use the more up-to-date MySQLi extension, you can make use of prepared statements and place-holders for external values, which will automatically take care of escaping and quoting as needed (or you could also do that via the PDO extension).

          I don't know what MySQLi or PDO extensions are :-(

            The manual is your key to success (or more confusion 😉 ):
            [man]MySQLi[/man]
            [man]PDO[/man]

              SundariDevi;10993327 wrote:

              So I removed html entities, which was redundant anyway, since I already stripped tags.

              Not necessarily true.

              $string = '& this should also be run through htmlentities before being sent as text/html';

                Not necessarily true.
                PHP Code:
                $string = '& this should also be run through htmlentities before being sent as text/html';

                OK but in that case I should do htmlentitites before outputting the data, but not before storing it. right?

                  SundariDevi;10993353 wrote:

                  OK but in that case I should do htmlentitites before outputting the data, but not before storing it. right?

                  Right (at least in my opinion).

                    Write a Reply...