Hello all!
Sorry in advance if this seem like a really dumb question.
I have one page where a client posts their personal info. One way I check the post is to use htmlspecialchars and then store it in a session. For example...
<?php
session_start();
include ("databaseinfo.php");
//Form validation:
if ((!empty($_POST['username']))
&& (strlen($_POST['username']) >5)
&& (strlen($_POST['username']) <21))
{
$username=$_POST['username'];
$username=htmlspecialchars($username);
$_SESSION['username']=$username;
}
elseif (!empty($_POST['username']))
{
$errors[]= "You forgot to enter a valid entry=User Name!";
}
if (!empty($errors) && is_array($errors))
{
echo "<html><head><meta http-equiv=\"Refresh\"
content=\"5;url=http://www.thispage.com\"></head>";
echo '<h1>Error!</h1>
The following error(s) occured:<br/>';
foreach ($errors as $msg)
{
echo " - $msg<br />\n";
}
echo "<p>You are being redirected. If you do not redirect in 5 seconds, <a
href=\"http://www.thispage.com\">click
here</a>";
}
?>When they submit it takes them to 2 more pages to fill out info. After they fill out all of the forms, it will take them to a preview page to view their answers. If they accept their client page, it is going to put the info in the database. So, my question is do I have to once again use htmlspecialchars like this...
<?php
$username=$_SESSION['username'];
$username=htmlspecialchars($username);
$username_sq=mysql_real_escape_string($username);
?>or is this enough...
<?php
$username=$_SESSION['username'];
$username_sq=mysql_real_escape_string($username);
?>I know it may not matter much, but I was thinking if it's possible for a hacker to change anything between those few pages. I'm trying to be as safe as I can be.
Thank you in advance for any info you can provide.
~Amy
