Re: COMMENT FORM

On Thu, 02 Aug 2007 01:13:48 +0200, zach <wackzingo@xxxxxxxxx> wrote:

Michael Fesser wrote:
.oO(zach)

I know how to take data from a form and insert it into MySql. For a comment form on something like a blog or news article, is using addslashes() all that is needed to prevent unwanted malicious user data?
No. addslashes() is hardly ever necessary. Of course its counterpart
stripslahes() is required to get the "raw" data if magic quotes are
enabled on the server.

There's got to be something more right? Can anyone tell me what I need to do or point me to some tutorial and/or articles?
Use mysql_real_escape_string() or - even better - prepared statements,
as provided by the PDO extension. And google for "SQL injection".
Micha

I don't believe my host has magic quotes on, I use media temple's grid server if anyones familiar with that. So if I use the mysql_real_escape_string() on the data being inserted into the database that's it?

To some extent. Some exotic charecters will give you problems.

I thought it was more complicated than that...

It is, but not very likely to hit you, it's a combination of a rare database setup combined with a particular encoding/unicode-charaters that might get through this. At least, that;s what I; ve heard. I never changed my database to the settings some claim it;s vulnerable.

Will I need to use stripslashes() before printing to the screen?

Heel o, unless the slashes are magiacally added, no adding of deleting of slashes is required. If you print on a HTML page though, at least htmlspecialchars() is required, and possibly htmlentities or more depending on the characters sent.
--
Rik Wasmus
.

Relevant Pages