Safely storing and output data

By Posted on

Problem

On my application I use this method to store and to output the data. I would like to know if it is safely and correct.

##store the data###
//sanitize
function clean($testo)
{
    $config = HTMLPurifier_Config::createDefault();
    $purifier = new HTMLPurifier($config);
    $testo = $purifier->purify($testo);

    $testo = mysql_real_escape_string($testo);
    return $testo;
}
$value = clean($_POST[value]);
//the clean function contain mysql_real_escape_string and htmlpurifier class
$sql = mysql_query("insert into table values(null,$value);");

##output the data####
$sql = mysql_query("select * from table");
$val = mysql_fetch_array($sql);
function echoValue($valore){
    $valore = htmlspecialchars(strip_tags(stripslashes($valore)), ENT_QUOTES, "UTF-8");
    return $valore;

}
echo echoValue($val);
// the echoValue function contain strip_tags and htmlentities

Solution

To “Safely” store data, please don’t use mysql_* functions. Use PDO or mysqli.

Also, use PreparedStatements wherever you use “where” clause in queries. That will protect you against injection.

http://au1.php.net/pdo.prepared-statements

Leave a Reply

Your email address will not be published. Required fields are marked *