Possible Duplicate:
How to prevent SQL injection?
I am setting up a comment system on my site and I wanted to know if this is save. I use PHP and MySQL.
– Do not use code below, it’s horribly insecure –
Creating a new comment:
- User writes $comment, submits it
- $comment = addslashes($comment);
- insert $comment into MySQL database
Reading a comment:
- User requests a comment, database delivers $comment
- $comment = htmlspecialchars(stripslashes($comment));
- echo $comment;
The system should be secure against HTML manipulations and MySQL injections. And all other nasty stuff I am not aware of. Am I doing it right?
Bonus question: What collation should I use for $comment in my MySQL table?
Edit: wow I didn’t think my question could cause this huge discussion. Thank you for all your answers 🙂
Consider switching to prepared statements right from the start 🙂
They may seem a bit overheaded now, but you safe so much time worrying about escaping each and every parameter that it pays back.
Here is a good Tutorial: http://www.kitebird.com/articles/php-pdo.html.
When printing out user defined content, you still need to use
htmlspecialcharsto account for XSS invulnerabilities.