is data massage required?

Forum Moderators: coopster

Message Too Old, No Replies

is data massage required?

php, mysql

ksugam

7:37 pm on Jun 17, 2008 (gmt 0)

Hello All,
I have a form which has 4 dropdowns and 3 text boxes..Once the user enters the data and hits "Submit", the data is stored in mysql.

Do i need to massage data for removing special charaters and stuff? Please advice!

Thanks!

d40sithui

8:04 pm on Jun 17, 2008 (gmt 0)

while i've never heard of "data massage", you certainly do not want to store it into the db before filtering and checking the data to see if it's what you would want. for example, if the field expects is a number, make sure it is a number and nothing else. furthermore, you will need to make the variable "safe" for your db by using a combination of at least trim(), htmlentities(), and mysql_real_escape_string();

Receptional Andy

8:23 pm on Jun 17, 2008 (gmt 0)

There's actually a parallel thread discussing almost the same thing which may be of interest: Is this form safe to be used on the web? [webmasterworld.com]

ksugam

9:08 pm on Jun 17, 2008 (gmt 0)

so does tht mean if i use
mysql_real_escape_string(stripslashes($myresult));

i am safe?

ksugam

9:38 pm on Jun 17, 2008 (gmt 0)

$test=$_POST['txtbox1'];
echo stripslashes($test);

I am trying to execute this code but it does not remove the slashes...any reason?

coopster

1:47 pm on Jun 20, 2008 (gmt 0)

Don't use magic quotes and you won't have to worry about stripping slashes.

This feature has been DEPRECATED and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged.
[php.net...]