Posted by zach on 08/01/07 23:13

Michael Fesser wrote:
> .oO(zach)
>
>> I know how to take data from a form and insert it into MySql. For a
>> comment form on something like a blog or news article, is using
>> addslashes() all that is needed to prevent unwanted malicious user data?
>
> No. addslashes() is hardly ever necessary. Of course its counterpart
> stripslahes() is required to get the "raw" data if magic quotes are
> enabled on the server.
>
>> There's got to be something more right? Can anyone tell me what I need
>> to do or point me to some tutorial and/or articles?
>
> Use mysql_real_escape_string() or - even better - prepared statements,
> as provided by the PDO extension. And google for "SQL injection".
>
> Micha

I don't believe my host has magic quotes on, I use media temple's grid
server if anyones familiar with that. So if I use the
mysql_real_escape_string() on the data being inserted into the database
that's it? I thought it was more complicated than that...Will I need to
use stripslashes() before printing to the screen?

• Next in forum: Re: PHP mail function is spammer?
• Prev in forum: Re: Can anyone recommend a good PHP web site backup program?
• Thread view: Re: COMMENT FORM

[Reply to this message]