Posted by Michael Fesser on 08/01/07 20:58

..oO(zach)

>I know how to take data from a form and insert it into MySql. For a
>comment form on something like a blog or news article, is using
>addslashes() all that is needed to prevent unwanted malicious user data?

No. addslashes() is hardly ever necessary. Of course its counterpart
stripslahes() is required to get the "raw" data if magic quotes are
enabled on the server.

> There's got to be something more right? Can anyone tell me what I need
>to do or point me to some tutorial and/or articles?

Use mysql_real_escape_string() or - even better - prepared statements,
as provided by the PDO extension. And google for "SQL injection".

Micha

• Next in forum: Re: Which content management system
• Prev in forum: Re: only list dirs if they have jpgs inside
• Thread view: Re: COMMENT FORM

[Reply to this message]