Posted by Rik on 07/04/06 18:34

Harold Crump wrote:
> Greetings,
>
> I have a fairly vanilla PHP web application that stores and retrieves
> data in a MySQL database.
> Users will be adding a lot of special characters such as single and
> double quotes, accented French characters, etc.
>
> I want to eliminate any potential for XSS or SQL injection attacks.
>
> My question - is it enough to pass all user input through the
> htmlentities() function call and store the resultant output?

No. Use mysql_real_escape_string(), allthough that's not a 100% secure
either:
http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html

Prepared statements seem the way to go. Use mysqli if available.

> Also, I would like to replace all semi-colons in input with something
> else - but I am not sure what and how.

Why?

Grtz,
--
Rik Wasmus

[Back to original message]