Formchecking functions in php

Question

I'm working on a registration form in PHP and I'm wonder what the essential functions are to make sure my database is safe.

I'm sure there are a lot of ways to both protect your database or attack one, but I'm asking the advice of stackoverflow: what functions or things must you apply to your data before inserting it into the database.

Also, suppose I'm escaping the string "Karl D'Hondt", which becomes "Karl D\'Hondt", I'll need regex that takes the \ into account. Names don't normally contain such symbols. Or should I simply check for a ; symbol in all strings and filter those???

It's kinda confusing thinking of every single way you can try to prevent something. Which is why I'm asking here for the experience of veterans to help decide on a compact, but powerfull and versatile way of securing databases from the data that is sent via forms.

Answer 1

function sql_quote( $value ) { if( get_magic_quotes_gpc() ) { $value = stripslashes( $value ); } //check if this function exists if( function_exists( "mysql_real_escape_string" ) ) { $value = mysql_real_escape_string( $value ); } //for PHP version < 4.3.0 use addslashes else { $value = addslashes( $value ); } return $value; }

That should do a pretty good job of cleaning it all up.

Answer 2

Use prepared statements to stop your data damaging your database. Don't try to handle it manually.

http://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php

Run htmlspecialchars over data before writing it to HTML pages to protect against XSS.