By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
435,105 Members | 2,569 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 435,105 IT Pros & Developers. It's quick & easy.

COMMENT FORM

P: n/a
I know how to take data from a form and insert it into MySql. For a
comment form on something like a blog or news article, is using
addslashes() all that is needed to prevent unwanted malicious user data?
There's got to be something more right? Can anyone tell me what I need
to do or point me to some tutorial and/or articles?

Thanks
Zach W.
Aug 1 '07 #1
Share this Question
Share on Google+
4 Replies


P: n/a
..oO(zach)
>I know how to take data from a form and insert it into MySql. For a
comment form on something like a blog or news article, is using
addslashes() all that is needed to prevent unwanted malicious user data?
No. addslashes() is hardly ever necessary. Of course its counterpart
stripslahes() is required to get the "raw" data if magic quotes are
enabled on the server.
There's got to be something more right? Can anyone tell me what I need
to do or point me to some tutorial and/or articles?
Use mysql_real_escape_string() or - even better - prepared statements,
as provided by the PDO extension. And google for "SQL injection".

Micha
Aug 1 '07 #2

P: n/a
Michael Fesser wrote:
.oO(zach)
>I know how to take data from a form and insert it into MySql. For a
comment form on something like a blog or news article, is using
addslashes() all that is needed to prevent unwanted malicious user data?

No. addslashes() is hardly ever necessary. Of course its counterpart
stripslahes() is required to get the "raw" data if magic quotes are
enabled on the server.
> There's got to be something more right? Can anyone tell me what I need
to do or point me to some tutorial and/or articles?

Use mysql_real_escape_string() or - even better - prepared statements,
as provided by the PDO extension. And google for "SQL injection".

Micha
I don't believe my host has magic quotes on, I use media temple's grid
server if anyones familiar with that. So if I use the
mysql_real_escape_string() on the data being inserted into the database
that's it? I thought it was more complicated than that...Will I need to
use stripslashes() before printing to the screen?
Aug 1 '07 #3

P: n/a
Rik
Excuse the typos and bad grammar. Time for bed now....
--
Rik Wasmus
Aug 2 '07 #4

P: n/a
Rik wrote:
Excuse the typos and bad grammar. Time for bed now....
--Rik Wasmus
Thank you very much guys, I'll mess with it this weekend after my tests
at school:)

zach
Aug 2 '07 #5

This discussion thread is closed

Replies have been disabled for this discussion.