Hi, I'm a bit new to SQL and this is my question...
Do I need to filter user input that has no connection with SQL database, e.g.
$x=$_GET;
if ($x == 'help4') {
print "This is help page no4.";
<some mysql queries goes here>
}
preston326
0
Newbie Poster
Recommended Answers
Jump to PostAlways clean your input. mysql_real_escape_string() is the standard.
You can use striptags, htmentities etc to further use, but you can use that on output.
All 4 Replies
diafol
Always clean your input. mysql_real_escape_string() is the standard.
You can use striptags, htmentities etc to further use, but you can use that on output.
preston326
0
Newbie Poster
Thank you for reply. But is it possible to harm my page through this type of input?
makman99
1
Junior Poster in Training
If you have not connected to your database, and as long as nobody knows the password to it/ the password is not easily guessed, it can't harm the database. But, mysql_real_escape_string() is easily used and good practice.
diafol
You still need to protect the output. You could store via DB, so ensure that your output doesn't contain <script> tags.
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.