Is this a bit overboard or am I doing the right thing? [duplicate]

This question already has answers here: Closed 10 years ago.

Possible Duplicate:

Best way to prevent SQL injection?

For logging in:

$username = mysql_real_escape_string(htmlspecialchars(strip_tags(trim($_POST['username'])), ENT_QUOTES));
$password = mysql_real_escape_string(htmlspecialchars(strip_tags(trim($_POST['password'])), ENT_QUOTES));

For inserting data I re-use the same mysql_real_escape_string(htmlspecialchars(strip_tags(trim(...

I feel like this is bad practice becaus开发者_运维技巧e I'm using so many functions... Is this the right way to protect against mysql injection & prevent xss injection? Or is it completely overboard? Everything works fine and nothing is broke--my question really is, am I using things that are obsolete when paired together? Is there only one function that I should use for the job?

Thanks.

---

What if I use <mysecretpassword> as a password?

It will be stripped and anyone will be able to login as me.

I think you should store the username and password as it is and do htmlspecialchars only when displaying them.

strip_tags seems to be unnecessary here at all unless you really dislike usernames like BlaBla aka Yada-Yada <C00lHax0r>

---

mysql_real_escape_string should be enough… the other things you should check where the user registers himself

---

You did protect from MySQL injection, but the string you stored is way off from its original format. Functions such as strip_tags, htmlspecialchars and trim should be used when you are pulling the string OUT and echoing it.

Reason is, sometimes you might want to have the string in its original format so you can, for example, just strip some tags, not all of them - or you might want to just use htmlspecialchars without stripping any tags. The key is in being able to easily transform the string in what you need it to be when you are showing it. That means, you need to keep the string in its original format. In order to do that - you don't strip_tags or htmlspecialchars-it.

The other thing is, everyone and their grandparents are using PDO, you might want to start playing with it because it really does make you immune against SQL injection.

---

The strip_tags thing isn't necessary.

For coding comfortability, you may want to create a function to to this for you:

function escape_everything($something)
{
    return mysql_real_escape_string(htmlspecialchars(strip_gpc(trim($something)), ENT_QUOTES));
}

function strip_gpc($something)
{
    return get_magic_quotes_gpc() ? stripslashes($something) : $something;
}

This approach has some issues though. It just works for data you are sending to the database, and more important, you are saving data html-encoded. If in the future, you want to generate PDF's from the data you saved in the database, you'd need to htmlspecialchars_decode() first, so it may be a bit inconvenient (but easily solvable).

---

Here is what is suggested by most of the answers.

$username = mysql_real_escape_string(trim($_POST['username']));

$password = md5("mysalt".mysql_real_escape_string(trim($_POST['password'])));