Posted by Toby Inkster on 12/19/06 12:56

bill wrote:

> 1: Do I need to worry about SQL injection if I do not process the
> incoming free form data ?

Yes. Never, but never, trust user input. Always validate it and make sure
it can do no harm before doing anything else with it.

> 2: Do I need to worry about PHP statements being embedded in the
> free form data ?

Probably not.

> 3: if so, what is the best practices to protect my database/site ?

The MySQL module provides a function called mysql_real_escape_string() or
some silly name like that. (For other databases, addslashes() will
normally suffice.) Run any user input through that before inserting/
updating it into your database.

For output, pass everything through htmlentities() to make sure it is
"safe" to appear. For example, what happens if a photo description
consists of:

<big><strong><font color=red>Hello!!!

This isn't necessarily a malicious user -- just someone who wanted to type
a big, bold, red greeting to the world but forgot to close their tags.
Imagine what a malicious user could do (e.g. run javascript off your site).

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact

[Back to original message]