I need a better way to stop hackers from inserting fatal data into my database
I currently have a guest book on my site. It is very basic. Recently I have been doubting whether my current method of sanitizing the input added to开发者_开发百科 the database is secure enough. Here is the current snippet of the code that collects the data and sanitizes it:
$name=$_POST['name'];
$c_name=mysql_real_escape_string(htmlspecialchars($name));
$detail=mysql_real_escape_string(htmlspecialchars($_POST['detail']));
Then obviously I would send the data to the server and place them in the necessary tables. Is this way efficient or are there any security holes I should be aware of? Thanks!
You should never use htmlspecialchars()
on data you are sending to the database; it should only be used on output. Other than that, I recommend you read "Making Wrong Code Look Wrong" so that you can keep your variables straight.
... making robust code by literally inventing conventions that make errors stand out on the screen.
精彩评论