Home/ Questions/Q 9124651
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-17T06:37:06+00:00

On my registration form I have four inputs: username password email address web address

  • 0

On my registration form I have four inputs: 

username  
password
email address
web address

Can’t figure which off all available sanitizing methods is really needed: 

strip_tags()
substr()
mysql_real_escape_string()
trim()
htmlentities()
addslashes()
. . . (you may add more)

Somewhere I found that a function is a must have, somewhere this function is declared as deprecated or less valuable the another one ...

Could someone be so kind to create a list of priorities for all four inputs above.

Note: PDO - prepared statements are already used for communication with database.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    First you need to be clear about hat for you like to sanitize.

    Because you use allready prepared statements there is no need for:
    mysql_real_escape_string()

    If you like to deny you users the use of html, to avoid XSS you should perhaps use
    strip_tags()

    To secure your html display agains not printable characters
    htmlentities()
    But in times of UTF-8 its a little obsolet.

    For password input it can be used
    trim()
    because it helps if youser copys passwords with leading / attached space.
    Because outlook add spaces. But not everybody think this is an good idea, to trim passwords.

    Depends on your Templating system it could be an good idea to use
    addslashes()
    for pre defined input values like

    <input type="text" value="<?php addslashes($value); ?>" />

    because it could be possible to do:

    my value " /><script>evil things</script><

    To have some kind of XSS in autocomplete forms.

    • 0