Forum Moderators: open
My question now is: do you deem that a procedure like the following is correct to provide security to the database when transmitting to it user inputs that could go in any UTF8? It's in PHP:
=================
$data
htmlentities($data) //assumption: it is better to have in a DB entities than raw UTF8 though the DB is set to accept it
strip_tags($data) //i don't want to get the risk, simply
mysql_real_escape_string($data)
=================
The above is applied to $dtata that is not meant to be MIME or URL/URI - these latter two undergo a more complex rearrangement that would be too long to discuss here.
Question is, for the $data above, would you suggest something more to do, or any particular suggestions that may enhance scurity on a UTF8 enabled DB that I could be unaware of?
Thank you
I attempt a reply anyway, providing some details - if they are not needed feel free to reformulate and I will try to provide all the info you may need.
Some data is retrieved from the DB knowing that, though all is set up for UTF8, they will be just US-ASCII (I mean: a-zA-z0-9 plus punctuations - lots of apexes too because some names of cities or persons require that).
Other data can be input by the users and must be stored. Though I am not planning at this stage to allow fancy languages, I don't want to have to rearrange everything if in the future I do, so I thought to start soon with UTF8.
Select, Insert, Update, Views - all the paraphernalia goes.
Tables may require joins - there is no table that is not performing also as the foreign key to another.
I hope this helps a lil bit. If not, lemme know and thank you for your reply
Alberto
(assuming you're using the PEAR DB extension)
From my reading that's supposed to be the most secure way perform a query, but don't take my word for it ;)
[pear.php.net...]
No I never use the? placeholders: I have a full control on queries so I write down in plaintext everything.
Does this help?
