vinpkl — 2012-10-12T06:44:42-04:00 — #1
i m using below code for validating phone number
Do i still need to use
mysql_real_escape_string with the above code even if i m not inserting it into the database till its not a numeric value
cpradio — 2012-10-12T07:41:34-04:00 — #2
No, you don't need to use mysql_real_escape_string on your $phone_number variable, because you already proved it only contains numbers. So that variable alone could not provoke a SQL Injection.
vinpkl — 2012-10-12T07:50:28-04:00 — #3
trim should be used after it or before it
cpradio — 2012-10-12T07:53:31-04:00 — #4
I'm not sure it would make a difference, but I usually put trim inside the mysql_real_escape_string call (like your first example).
vinpkl — 2012-10-12T08:04:39-04:00 — #5
does htmlspecialchars() adds another layer of security if used along with mysql_real_escape_string
cpradio — 2012-10-12T08:21:07-04:00 — #6
No, htmlspecialchars() does nothing for your database security, it does protect you against XSS attacks, and so should only be used when outputting the content to the page and I actually recommend htmlentities() instead of htmlspecialchars().
vinpkl — 2012-10-12T09:02:21-04:00 — #7
I meant to know
Suppose someone enter name as "vin@#$"
then will it be safe to add the name as it is to database
we should first convert post data to htmlspecialchars or htmlentities and then add it to database.
cpradio — 2012-10-12T10:09:02-04:00 — #8
The only characters that are unsafe to a database are single and double quotes (which is why you use mysql_real_escape_string).
htmlspecialchars or htmlentities DO NOT need to be used when inserting into the database/table. They only need to be used to prevent XSS attacks.
vinpkl — 2012-10-12T10:22:46-04:00 — #9
I m new to XSS so can you tell me
XSS Attacks happens only while outputting the data from database
there are other occasions also when XSS attacks can happen.
cpradio — 2012-10-12T10:27:41-04:00 — #10
XSS attacks can occur when you output ANY data that may have been entered by a User via QueryString, Form Data, data stored in a database, etc.
With htmlentities, it will output the comment as TEXT, so it can't be executed, as it will substitute all of the < and > signs to be < and > along with the quotes.
Hopefully this makes sense. Good question
vinpkl — 2012-10-12T11:05:11-04:00 — #11
htmlentities() and htmlspecialchars()
both functions work fine
with particular one charset (UTF or ISO)
or both charsets
cpradio — 2012-10-12T11:07:45-04:00 — #12
If you look at the PHP manual pages for both htmlentities and htmlspecialchars, you will see which encodings are supported and that you can tell it to use a specific encoding (if you want).