Safe to make this script public? Newbie Question

Question

<?php

if (isset($_POST['post'])) {

// sanitize variables
$title = mysql_real_escape_string(trim($_POST['title']));
$text = mysql_real_escape_string(trim($_POST['text']));

if (strlen($title) > 3) {

mysql_query("INSERT INTO msgs (title, text, date)
           VALUES('$title', '$text', '".time()."')");
header('location:  msg.php?id='.mysql_insert_id().'');
exit;

}

else {

echo '<h2>Errors</h2><p style="color: maroon">> Fields title and text must consist more than 3     characters.</span>';

}


}

?>

Is this safe to use? Have i forgot something? Just making sure before i make this public.

Answer 1

You aren't checking the length of `text'.

What happens if mysql_real_escape_string returns FALSE?

What if the insert fails? Shouldn't you check that before assuming you get an insert id?

Answer 2

I would:

a) Add a call strip_tags() if HTML is disallowed;
b) Add a call to htmlentities() if HTML is allowed.

Answer 3

Another thing you could add would be to check that the data received are sent from your form on your domain. Some clever chaps out there could create their own form and post to your script.