It has a been a long day but I cannot seem to choose in my own head which is better or if I should use both.
Basically what should I use to sanitize user inputted values. Is it either the htmlentities or preg_match function ?
I will then if the value goes into a sql query use the mysql_real_escape_string function but only until I change it to a prepared statement then I can remove this.
Or would it be good idea to use both htmlentities and preg_match ?
Why didn't you just ask this in your previous question ?
Use preg_match before you do any escaping, to ensure the data meets the whitelist of what you expect it to be. Then use the escape for the database insertion. This is called defense in depth (i.e. more than one layer of security checking, in case the attacker can break through the first layer).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With