Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

php security question

Tags:

It has a been a long day but I cannot seem to choose in my own head which is better or if I should use both.

Basically what should I use to sanitize user inputted values. Is it either the htmlentities or preg_match function ?

I will then if the value goes into a sql query use the mysql_real_escape_string function but only until I change it to a prepared statement then I can remove this.

Or would it be good idea to use both htmlentities and preg_match ?

like image 446
Oliver Bayes-Shelton Avatar asked Feb 25 '10 16:02

Oliver Bayes-Shelton


1 Answers

Why didn't you just ask this in your previous question ?

Use preg_match before you do any escaping, to ensure the data meets the whitelist of what you expect it to be. Then use the escape for the database insertion. This is called defense in depth (i.e. more than one layer of security checking, in case the attacker can break through the first layer).

like image 186
Mike Avatar answered Nov 19 '22 21:11

Mike