[thelist] Form Security

[Jack Timmons]

On Tue, Jul 20, 2010 at 9:09 AM, Simon MacDonald <simonmacdonald at uk2.net> wrote:
> Like Davoud, I'd also be interested in seeing what would be considered the
> minimum PHP code to do it. I've googled this in the past and not found any
> consistent recommendations - I hacked together the above from my searches.

Howdy, Simon!

This is what we use here. Or, at least, this is what I aim for, even
though we have some legacy code lingering around I haven't had the
chance to fix:

Essentially:

$_POST['first_name'] = mysql_real_escape_string($_POST['first_name'], $link);

And, when displaying:

echo(htmlentities ($_POST['first_name']));

If they're Little Bobby Tables [1] that's fine. When we print the
labels, we accommodate what we can. We're here to serve the customer.
If we can't do what they want, we let them know and find alternatives
(Like when two people with different last names want both their names
on our gold card and their names go along the lines of Lindsay
Stephenpopadopolus).

trim would be fine to use, also (I'm pretty sure we do that. I've
either built it all into the background or we use a framework that
does it for us, so I forget), but otherwise, you shouldn't worry about
HTML tags, so long as you display them properly.

-- 
Jack Timmons
@_Codeacula