Hi there,
I'm just wondering if I'm taking the right steps to protect my website against injection attacks and the like. At the moment I am using strip_tags($value) and then mysql_real_escape_string($value) for anything that the user is allowed freedom to input.
While googling around it was suggested that mysql_real_escape_string was better than strip_tags, as it was more secure, but I found that tags were still being allowed... as in I could input <?php echo "load of rubbish" ?> and it would take the value, when the page refreshed it messed around with all of the code after it and thus messed everything up. I found the easy way around this was to strip the tags and then use mysql_real_escape_string.
Am I on the right track? As you can probably guess I'm very much a novice at this sort of thing, and while I am doing OK fumbling around the one thing I want to be sure of is security.
Thanks
I'm just wondering if I'm taking the right steps to protect my website against injection attacks and the like. At the moment I am using strip_tags($value) and then mysql_real_escape_string($value) for anything that the user is allowed freedom to input.
While googling around it was suggested that mysql_real_escape_string was better than strip_tags, as it was more secure, but I found that tags were still being allowed... as in I could input <?php echo "load of rubbish" ?> and it would take the value, when the page refreshed it messed around with all of the code after it and thus messed everything up. I found the easy way around this was to strip the tags and then use mysql_real_escape_string.
Am I on the right track? As you can probably guess I'm very much a novice at this sort of thing, and while I am doing OK fumbling around the one thing I want to be sure of is security.
Thanks