Quick question about input/output security

Soldato
Joined
2 May 2004
Posts
19,950
I've set myself a little project of creating a secure, efficient forum using PHP - I don't plan to release it or anything, it's more to keep what I know about PHP fresh in my head as well as learn more :)

However I have forgotten a little as I haven't coded in a while :p

Am I right in saying I should be using mysql_real_escape_string (I'll be using robmiller's quote_smart function for this) for data going into the database?

So for example when a user is entering something into a form I'd process his/her entry through htmlentities() - e.g. htmlentities($_POST['data'], ENT_QUOTES); along with quote_smart() in the query?

Then for reading from the database I'd just use quote_smart() in the query?

Thanks,
Craig.
 
Thanks :)

What about when I'm selecting information from a database based on the URL, for example:

PHP:
<?php
$id = $_GET['id'];

$sql = "SELECT * FROM table WHERE id = '$id'";
?>

Am I right in saying the safe way of doing the above would be:


PHP:
<?php
$id = $_GET['id'];

$sql = sprintf("SELECT * FROM table WHERE id = %s", quote_smart($id));
?>

Along with checking that the $id is valid of course (intval() etc.)

Thanks,
Craig.
 
Back
Top Bottom