For logging in:
$username = mysql_real_escape_string(htmlspecialchars(strip_tags(trim($_POST['username'])), ENT_QUOTES)); $password = mysql_real_escape_string(htmlspecialchars(strip_tags(trim($_POST['password'])), ENT_QUOTES));
For inserting data I re-use the same
I feel like this is bad practice because I'm using so many functions... Is this the right way to protect against mysql injection & prevent xss injection? Or is it completely overboard? Everything works fine and nothing is broke--my question really is, am I using things that are obsolete when paired together? Is there only one function that I should use for the job?
What if I use
<mysecretpassword> as a password?
It will be stripped and anyone will be able to login as me.
I think you should store the username and password as it is and do
htmlspecialchars only when displaying them.
strip_tags seems to be unnecessary here at all unless you really dislike usernames like
BlaBla aka Yada-Yada <C00lHax0r>
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki