Hello, I'm writing a program that will allow the user to submit information from a form into the database. This info will then be output to a page that the user has, like a profile page. Basically I want to make sure that 1) I am not going to get any sort of SQL injection from the user that can harm my database and 2) That the user cannot post any sort of malicious HTML that will appear on their profile page. I have a simple PHP page I've written which takes info from the form, runs some security checks on it and then inserts it into the database... <?php $content = $_POST["content"]; //Connect to Database $conn = mysql_connect("localhost", "username", "password") or die ('Error connecting to mysql'); mysql_select_db("dbname"); //MySQL Real Escape String $content = mysql_real_escape_string($content); //Strip HTML tags $content = strip_tags($content, '<p><a><strong><i>'); //Insert data into MySQL database... ?> PHP: I was wondering if this form contains all the necessary security precautions to protect my site or if there is anything anyone here would recommend in addition to this code to protect my site from SQL injection and malicious HTML on the user pages. Thanks, BMR777
mysql_real_escape_string is just enough, but you can use PDO instead for MySQL. But this works fine! and secure enough! It's even better to check every input for forbidden chars! most good websites check every input (from $_GET, $_POST to server variables)