Reply to Re: COMMENT FORM — PHP Programming Language

Posted by zach on 08/01/07 23:13

Michael Fesser wrote:
> .oO(zach)
>
>> I know how to take data from a form and insert it into MySql. For a
>> comment form on something like a blog or news article, is using
>> addslashes() all that is needed to prevent unwanted malicious user data?
>
> No. addslashes() is hardly ever necessary. Of course its counterpart
> stripslahes() is required to get the "raw" data if magic quotes are
> enabled on the server.
>
>> There's got to be something more right? Can anyone tell me what I need
>> to do or point me to some tutorial and/or articles?
>
> Use mysql_real_escape_string() or - even better - prepared statements,
> as provided by the PDO extension. And google for "SQL injection".
>
> Micha

I don't believe my host has magic quotes on, I use media temple's grid
server if anyones familiar with that. So if I use the
mysql_real_escape_string() on the data being inserted into the database
that's it? I thought it was more complicated than that...Will I need to
use stripslashes() before printing to the screen?

[Back to original message]

Удаленная работа для программистов • Как заработать на Google AdSense • England, UK • статьи на английском • PHP MySQL CMS Apache Oscommerce • Online Business Knowledge Base • DVD MP3 AVI MP4 players codecs conversion help

Home • Search • Site Map • Set as Homepage • Add to Favourites

Сайт изготовлен в Студии Валентина Петручека —
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация