Posted by Rik on 08/02/07 03:55

On Thu, 02 Aug 2007 01:13:48 +0200, zach <wackzingo@gmail.com> wrote:

> Michael Fesser wrote:
>> .oO(zach)
>>
>>> I know how to take data from a form and insert it into MySql. For a
>>> comment form on something like a blog or news article, is using
>>> addslashes() all that is needed to prevent unwanted malicious user
>>> data?
>> No. addslashes() is hardly ever necessary. Of course its counterpart
>> stripslahes() is required to get the "raw" data if magic quotes are
>> enabled on the server.
>>
>>> There's got to be something more right? Can anyone tell me what I
>>> need to do or point me to some tutorial and/or articles?
>> Use mysql_real_escape_string() or - even better - prepared statements,
>> as provided by the PDO extension. And google for "SQL injection".
>> Micha
>
> I don't believe my host has magic quotes on, I use media temple's grid
> server if anyones familiar with that. So if I use the
> mysql_real_escape_string() on the data being inserted into the database
> that's it?

To some extent. Some exotic charecters will give you problems.

> I thought it was more complicated than that...

It is, but not very likely to hit you, it's a combination of a rare
database setup combined with a particular encoding/unicode-charaters that
might get through this. At least, that;s what I; ve heard. I never changed
my database to the settings some claim it;s vulnerable.

> Will I need to use stripslashes() before printing to the screen?

Heel o, unless the slashes are magiacally added, no adding of deleting of
slashes is required. If you print on a HTML page though, at least
htmlspecialchars() is required, and possibly htmlentities or more
depending on the characters sent.
--
Rik Wasmus

[Back to original message]