I have a question secuirty. Is it safe enough to do:

$fname = mysql_real_escape_string(htmlentities($_POST['fname']));
$lname = .....($_POST['lname']));
etc

and insert it into the table like:

mysql_query("INSERT INTO North_America 
(first_name, middle_name, last_name, email, phone, country) VALUES('$fname', '$mname', '$lname', '$email', '$phone', '$country') ") 
or die(mysql_error());

Or do I need more validating?

Recommended Answers

All 2 Replies

for some reason i did not see the top of your post regarding mysql_real_escape_string.
sorry.

This was fine in the days of ASCII, but the tubes are hardly ASCII anymore, with Unicode, UTF-16, i have 1,112,064 code points, they are not even called characters anymore, because they really aren't. And if you are familiar with best-fit mapping, you would know that there are now dozens of characters that can represent any single symbol in ASCII, meaning that using the above type of blocking mechanisms is silly and technically insecure.

http://marc.info/?l=php-general&m=131603743606025&w=2

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.