0

I have a question secuirty. Is it safe enough to do:

$fname = mysql_real_escape_string(htmlentities($_POST['fname']));
$lname = .....($_POST['lname']));
etc

and insert it into the table like:

mysql_query("INSERT INTO North_America 
(first_name, middle_name, last_name, email, phone, country) VALUES('$fname', '$mname', '$lname', '$email', '$phone', '$country') ") 
or die(mysql_error());

Or do I need more validating?

Edited by Draucia: n/a

2
Contributors
2
Replies
4
Views
6 Years
Discussion Span
Last Post by jlego
0

for some reason i did not see the top of your post regarding mysql_real_escape_string.
sorry.

Edited by jlego: n/a

0

This was fine in the days of ASCII, but the tubes are hardly ASCII anymore, with Unicode, UTF-16, i have 1,112,064 code points, they are not even called characters anymore, because they really aren't. And if you are familiar with best-fit mapping, you would know that there are now dozens of characters that can represent any single symbol in ASCII, meaning that using the above type of blocking mechanisms is silly and technically insecure.

http://marc.info/?l=php-general&m=131603743606025&w=2

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.