Databases
StackOverflow2013
Postsdbo
POWill these security functions be enough?
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POWill these security functions be enough?
    text
    copied!<p>I am trying to secure my site so I'm not vulnerable to sql injection or xss. </p> <p>Here's my code:</p> <pre><code>//here's the form (abbreviated) &lt;form&gt; &lt;label for="first_name" class="styled"&gt;First Name:&lt;/label&gt; &lt;input type="text" id="first_name" name="first_name" value="&lt;?php if (!empty($first_name)) echo $first_name; ?&gt;" /&gt;&lt;br /&gt; //submit button etc &lt;/form&gt; if (isset($_POST['submit'])) { //gets rid of extra whitesapce and escapes $first_name = mysqli_real_escape_string($dbc, trim($_POST['first_name'])); //check if $first_name is a string if(!is_string($first_name) { echo "not string"; } //then insert into the database. ....... </code></pre> <p>} </p> <p><code>mysqli_real_escape_string</code>: I know that this function escapes certain letters like \n \r, so when the data gets inputted into the dbc, would it have '\' next to all the escaped letters?</p> <ul> <li><p>Will this script be enough to prevent most sql injection? just escaping and checking if the data is a string. For integers values(like users putting in prices), i just: <code>is_numeric()</code>. </p></li> <li><p>How should I use <code>htmlspecialchars</code>? Should I use it only when echoing and displaying user data? Or should I also use this when inserting data to a database? </p></li> <li><p>When should I use <code>strip_tags</code> or <code>htmlspecialchars</code>?</p></li> </ul> <p>So with all these functions:</p> <pre><code>if (isset($_POST['submit'])) { //gets rid of extra whitesapce and escapes $first_name = mysqli_real_escape_string($dbc, trim($_POST['first_name'])); //check if $first_name is a string if(!is_string($first_name) { echo "not string"; } //gets rid of any &lt;,&gt;,&amp; htmlspecialchars($first_name); //strips any tags with the first name strip_tags($first_name) //then insert into the database. ....... </code></pre> <p>} </p> <p>Which functions should I use for sql injection and which ones should I use for xss? </p> <p>When can a user insert xss scripts against me? When there is a form?</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload