Hey, I'm just wondering what the best practices are for validating say a bio, or comment, before sending it to the database. I heard about things link html entities, and add slashes, but aren't sure which way to go to give users the most out of the text capabilities... I'm trying to protect myself from the chupacabra sql injection, lol....sorry, I call it that because I have no idea how it can work, just know it exists. I'm worried that I don't know enough about functions like add slashes, and html entities...umm... I don't want users to be able to post scripts and what not, but would like them to be able to type pretty much what ever they want in a comment or bio... Thanks for any tips and help, Jeremy.
for mysql we have mysql_real_escape_string and for PDO we have another way of adding variables to queries... but best way is to filter out wrong symbols. Read this: http://php.net/manual/en/security.database.sql-injection.php
What people insert into the database is less of an issue as long as you're protected from SQL injections (as mentioned above, PDO's prepared statements or mysql_real_escape_string()). It's what you output that matters the most. Forget addslashes() because it serves no real purpose here. Make sure you apply htmlentities() before outputting the data, so people can't inject HTML or Javascript. If you want you can also apply strip_tags() before inserting the data but it's not that important if the output is already sanitised.
okay, thanks for the tips, I'll read the articles too. I actually messed around with htmlentities and found out what it did, lol. Should work perfect. I thought at first that it would actually render entities into html...but I guess it escapes their native purpose, so I see why it's so handy here.