Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have a form with many fields…
The action is set to a php page which queries mysql…
Should I sanitize with mysql_real_escape_string every single variable?
Or can I ignore sanitizing drop-lists and radios for instance?
Also, besides mysql_real_escape_string, what else should I do to prevent attacks?
Thanks
You must check selects and radio buttons too. Anyone can create their own HTML form and post it to your script. The Firefox extension Web Developer Toolbar even has an option to convert selects to text inputs.
You can also check that the posted data only contains correct values. For example, if you have a radio button, make sure that the posted form only contain one of the valid values.
You should of course only run mysql_real_escape_string on variables that you are going to put into MySQL. If saving to file, using on the commandline or anything other, there are more apropriate functions and solutions.