Sanitizing Form Data With PHP
No matter where you first learn about sql injections, xss scripting, or form form handling security, one common phrase seems to popup everywhere. The phrase is "Never trust the user's input'. This phrase can be turned around to read 'Protect Yourself From Hackers who will try to add malice code into your forms'. With that in mind, you should always try to make your forms with code that will sanitize user input. The code below will get you off to a decent start.
### CHANGE ### SANITIZE LOGIN $my_username = mysql_real_escape_string(htmlspecialchars(trim($_POST['login']))); $my_username = mb_convert_encoding($my_username, 'UTF-8', 'UTF-8'); $my_username = htmlentities($my_username, ENT_QUOTES, 'UTF-8'); $my_password = mysql_real_escape_string(htmlspecialchars(md5(trim($_POST['password'])))); $my_password = mb_convert_encoding($my_password, 'UTF-8', 'UTF-8'); $my_password = htmlentities($my_password, ENT_QUOTES, 'UTF-8'); ### END SANITIZE