1

Well, I want to know some tips about PHP and MySQL.

When I get data from user then I use the following validation:

mysql_real_escape_string()
or
htmlentities()
or
trim()

Is it a secure way to get data from the user?

And what is the best way to retrieve data from Mysql database? I used nl2br(), but if i submit I'm here Then it shows I\'m here. It should be showing I'm here. I don't know what the correct method is.

Ry-
  • 218,210
  • 55
  • 464
  • 476
user1161867
  • 141
  • 1
  • 1
  • 11
  • Neither of these functions do validation. And whether it’s safe to use the output of these functions depend on how you use those values. So how do you use these functions? – Gumbo Feb 05 '12 at 16:43
  • 2
    Switch to PDO and please please please turn off magic quotes for the better of humanity. – PeeHaa Feb 05 '12 at 16:44
  • @PeeHaa Thanks for this idea. But I think it's already OFF from php 5.0. is it? – user1161867 Feb 05 '12 at 16:45
  • @user1161867: No. Well, at least I had to turn it off manually on my installation. That was PHP 5.2.17 on Windows. – Ry- Feb 05 '12 at 16:46
  • Refer to http://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php – jthurau Feb 05 '12 at 16:48

1 Answers1

1

When inserting data into a database, you'll use mysql_real_escape_string; not htmlentities. Or even better, MySQLi - or even better, PDO.

When you're outputting data from the database that might not be secure, you'll probably use htmlentities then.

To stop the slashes, turn magic quotes off.

Ry-
  • 218,210
  • 55
  • 464
  • 476
  • Thanks @minitech. So htmlentities is secure? Any other method? – user1161867 Feb 05 '12 at 16:47
  • @user1161867: Yes, it's secure for HTML output. Just remember to use it. Oh, and there's also [`htmlspecialchars`](http://php.net/htmlspecialchars). – Ry- Feb 05 '12 at 16:49
  • @user1161867: You can mix them, but it's good to be consistent. And don't use both, things will break :) – Ry- Feb 05 '12 at 16:56