Is
$username = $_POST['username'];
$sanitizedUsername = strip_tags(stripcslashes($username));
enough to prevent malacious sql injections and other types of attacks. If not what else should I use?
P.S. I want to allow users to choose usernames and passwords that contain alphanumeric, space and symbol characters (except those like quotes or asterisks that 开发者_如何学运维are used in mysql statements).
When you insert into the database, use:
mysql_real_escape_string($_POST['username']);
When you are outputting to HTML, use:
htmlspecialchars($_POST['username']);
If you'r environment allows it, always use parametrized queries to avoid SQL injection http://pl.php.net/manual/en/mysqli.prepare.php
Use string mysql_real_escape_string ( string $unescaped_string [, resource $link_identifier ] )
http://www.php.net/mysql_real_escape_string
精彩评论