mysql error when inserting data - Webmaster Forum - Web Design, Programming and SEO forums

12-31-2007, 04:26 PM

phpintheusa

Status: I'm new around here
Join date: Dec 2007
Location: Tennessee
Expertise:
Software:

Posts: 20

iTrader: 0 / 0%

phpintheusa is on a distinguished road

I just want to recommend that you use a function like this instead of using addslashes(). Addslashes is a security blanket full of holes.

Code:

function validateit($value) {
	$value = str_replace('javascript:', '_', $value);
	$value = str_replace('document.location', '_', $value);
	$value = str_replace('vbscript:', '_', $value);
	$value = str_replace('<marquee', '_', $value);
	$value = str_replace('<script', '_', $value);
	$value = str_replace('?php', '_', $value);
	$value = mysql_real_escape_string(strip_tags(htmlentities(trim($value))));
	return $value;
}

This will help against sql injections, cross site scripting, and all that jazz.

12-31-2007, 04:45 PM

Village Genius

Status: Geek
Join date: Apr 2006
Location: Denver, CO
Expertise: Software
Software: Chrome, Notepad++

Posts: 6,894

iTrader: 18 / 100%

Village Genius will become famous soon enough

Originally Posted by phpintheusa

I just want to recommend that you use a function like this instead of using addslashes(). Addslashes is a security blanket full of holes.

Code:

function validateit($value) {
	$value = str_replace('javascript:', '_', $value);
	$value = str_replace('document.location', '_', $value);
	$value = str_replace('vbscript:', '_', $value);
	$value = str_replace('<marquee', '_', $value);
	$value = str_replace('<script', '_', $value);
	$value = str_replace('?php', '_', $value);
	$value = mysql_real_escape_string(strip_tags(htmlentities(trim($value))));
	return $value;
}

This will help against sql injections, cross site scripting, and all that jazz.

Dont manually escape all the HTML. Use htmlspecialchars and unescape the values that you want in (<b><i>, ect.)