Is my security ok?

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: macek, egami, gesf

New php-forum User
New php-forum User
Posts: 1
Joined: Fri Sep 23, 2011 4:09 am

Is my security ok?

Postby SarahPie » Fri Sep 23, 2011 6:06 am

Hi everyone.
My name is Sarah, this is my first post, I hope you don't think that I am a total idiot but I am quite new to PHP and I am learning it in school.

I was wondering if someone could please give me a bit of advice about security. I have a simple form script that submits stuff to a database, and I just want to make sure that its protected and no one can do any damage.

I have read a lot about security, but I am not sure if I am doing it right, so could someone please let me know if I have made any mistakes?

Basically here is my code, for a simple form, where people type in their email address and a funny joke, and the joke and the email address goes to the database.

Please note, I am NOT validating the email address here, because it doesn't matter if a person puts in a real email address or a fake one.

What I need to know is Will this code stop any nasty stuff, or is there more I need to do?

Code: Select all

function check_input($data)
   $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data, ENT_QUOTES);

    return $data;

$email = mysql_real_escape_string($_POST['email']);
$joke = mysql_real_escape_string($_POST['joke']);

$email = check_input($email);
$joke = check_input($joke);

$sql="INSERT INTO vote_messages (email, msg) VALUES ('$email','$joke')";

Thank you so much to anyone who can advise a newbie.

User avatar
php-forum Fan User
php-forum Fan User
Posts: 981
Joined: Thu Feb 17, 2011 6:52 am
Location: Racine, WI

Re: Is my security ok?

Postby Nullsig » Mon Sep 26, 2011 9:50 am

no it won't

You have the right idea but you call mysql_real_escape_string and then strip out all the slashes it just added.

You should remove the call for stripslashes. That will get you exactly where you want to go.

You also don't technically need the htmlspecialchars call but that's more of a personal preference.

User avatar
php-forum GURU
php-forum GURU
Posts: 2196
Joined: Wed Oct 06, 2010 11:19 am
Location: Happy Valley, UT

Re: Is my security ok?

Postby egami » Mon Sep 26, 2011 10:03 am

This right here should do you the trick.

Code: Select all



Return to “PHP & MySQL Security”

Who is online

Users browsing this forum: No registered users and 1 guest