Drakkon
Diamond Member
Trying to secure a script thats used to post data to a DB thats later shown via HTML. Trying to avoid script attacks I was using htmlspecialchars and to avoid SQL injection using sprintf and real_escape_string. Is this going overkill? is there something easier?
//if there is a post make sure it only contains the 2 possible options
if(isset($_POST) && isset($_POST['id']) && isset($_POST['post']) &&count($_POST)==2) {
//make sure length of post variables is not too long
if(strlen($_POST['id'])>2) die('Invalid id');
if(strlen($_POST['post'])>80) die('message too long');
//modify post variables to make sure they contain no malicious code
$post = htmlspecialchars(sprintf('%s',$db->real_escape_string($_POST['post'])), ENT_QUOTES);
$id = htmlspecialchars(sprintf('%s',$db->real_escape_string($_POST['id'])), ENT_QUOTES);
}
//if there is a post make sure it only contains the 2 possible options
if(isset($_POST) && isset($_POST['id']) && isset($_POST['post']) &&count($_POST)==2) {
//make sure length of post variables is not too long
if(strlen($_POST['id'])>2) die('Invalid id');
if(strlen($_POST['post'])>80) die('message too long');
//modify post variables to make sure they contain no malicious code
$post = htmlspecialchars(sprintf('%s',$db->real_escape_string($_POST['post'])), ENT_QUOTES);
$id = htmlspecialchars(sprintf('%s',$db->real_escape_string($_POST['id'])), ENT_QUOTES);
}
