Will these security functions be enough? (PHP)
- by ggfan
I am trying to secure my site so I don't have sql injections and xss scripting.
Here's my code.
//here's the from, for brevity, i just show a field for users to put firstname
<form>
<label for="first_name" class="styled">First Name:</label>
<input type="text" id="first_name" name="first_name" value="<?php if (!empty($first_name)) echo $first_name; ?>" /><br />
//submit button etc
</form>
if (isset($_POST['submit'])) {
//gets rid of extra whitesapce and escapes
$first_name = mysqli_real_escape_string($dbc, trim($_POST['first_name']));
//check if $first_name is a string
if(!is_string($first_name)
{
echo "not string";
}
//then insert into the database.
.......
}
mysqli_real_espace_string: I know that this func escapes certain letters like \n \r, so when the data gets inputted into the dbc, it would have '\' next to all the escaped letters?
--Will this script be enough to prevent most sql injections? just escaping and checking if the data is a string. For integers values(like users putting in prices), i just: is_numeric().
--How should I use htmlspecialchars? Should I use it only when echoing and displaying user data? Or should I also use this too when inputting data to a dbc?
--When should I use strip_tags() or htmlspecialchars?
SOO with all these function...
if (isset($_POST['submit'])) {
//gets rid of extra whitesapce and escapes
$first_name = mysqli_real_escape_string($dbc, trim($_POST['first_name']));
//check if $first_name is a string
if(!is_string($first_name)
{
echo "not string";
}
//gets rid of any <,>,&
htmlspecialchars($first_name);
//strips any tags with the first name
strip_tags($first_name)
//then insert into the database.
.......
}
Which funcs should I use for sql injections and which ones should I use for xss?
