I know of taking out slashes, changing HTML to ", lowercasing everything. I just don't know what is the best or foolproof way of doing this.
Any help?
+3
A:
Generally the best option is to use the language's built-in functions for that. For escaping input to MySQL database queries in PHP, use mysql_real_escape_string(). For escaping output as HTML, use htmlspecialchars() or htmlentities(). Ruby on Rails has a function for HTML escaping too: h() (e.g. <%=h @object.property %>). Check your language documentation for specifics.
jtbandes
2009-07-15 07:22:40
Agreed. Don't try and reinvent the wheel; you only need to miss one case and you're screwed. Let the combined wisdom (and more importantly, experience) of the community handle it for you.
Mikeage
2009-07-15 07:29:59
Ok, I've know about "mysql_real_escape_string()" and "htmlentities()", I was just wondering if that was all I should use or is there a better set up?Thanks.
AdamDecaf
2009-07-16 02:32:43
It depends on what you need to do, really. Like I said, if you're taking input to a DB query, use the corresponding escape_string function that's designed for that purpose. If you're outputting it as HTML, use a HTML-escaping function. There should always be something made for the situation you have — and if there isn't, then it's likely you're doing something you shouldn't be (or just have a really obscure situation), and you should probably ask others (e.g. on Stack Overflow).
jtbandes
2009-07-16 08:15:48
A:
The best filters are inclusive, not exclusive, as you can usually tell what good input should contain.
Hasturkun
2009-07-15 08:37:41