hi i was wondering if you should use the mysql_real_escape_string and strip_tags for the password $_POST here is what im talking about below reason im asking this is i been reading a lot of post and people where saying no to use it for the password $_POST thanks. keep it like this: $password = $_POST["password"]; this: $password = stripslashes($post['password']); or this: $password = mysql_real_escape_string(strip_tags($_POST['password'])); PHP:
Your code suggests that you will store the password as plain text which is a very bad practice The use of stripslashes relies on a depracated (PHP 5.3.0) and then abondonned (PHP 5.4.0) feature : Magic Quotes Drop the need for stripslashes by setting magic_quotes_gpc to off in your php.ini configuration file. The lowest acceptable approach is to encode passwords using md5() before storing them,you won't need mysql_real_escape_string, strip_tags because md5() function returns 32 hexadecimal characters. $username = $_POST['username']; $username = sanitize($username); /* This should remove any tricky or unacceptable characters */ $password = $_POST['password']; $password_encrypted = md5($password); mysql_query("INSERT INTO users (username, password) VALUES ($username, $password_encrypted) "); PHP:
hi im using this for my password $password = hash('sha512', $_POST['password']); PHP: thanks for replying guys
If you're hashing the password before you send it to the DB, you don't need to use mysql_real_escape_string or stripslashes.