Hi everyone and thanks for reading,
Now that I've been getting my hands dirty with PHP a lot more, I've been starting to freelance and I'm wanting to make sure I have the right systematic approach to protecting data before I commit to any projects.
Whenever we accept user input either to be displayed somewhere on our site, or to be used in an SQL query (perhaps a keyword search or a login), the rule of thumb is: "NEVER TRUST USER INPUT".
Throughout my research the two functions that seem to keep coming up are mysql_real_escape_string() and htmlspecialchars(). The thing that is confusing me is how and when I should be using these.
For example if I have a login form, then surely I would only parse my data through mysql_real_escape_string() as the other function would be unnecessary?
One that I've not figured out conceptually yet is: lets say for example I am storing information about people, such as their name, home town, country and so on. Do I run all these $_POST variables through both commands? Or do I only run it through mysql_real_escape_string() and then when I'm echoing back OUT of the database, use htmlspecialchars()?
I hope I'm not rambling at this point but I'm just trying to figure out if I store the information after I run it through htmlspecialchars, or do I do that when I'm echoing back out of the database. I realise if I do this BEFORE, then if I export to plain text, I'll have a load of HTML characters that no-one will understand.
I know I've not mentioned addslashes() but I've been told that mysql_real_escape_string() is better than addslashes, and all you have to do is run the content through stripslashes() when you echo it back out.
Thanks for any help,