For logging in:

$username = mysql_real_escape_string(htmlspecialchars(strip_tags(trim($_POST['username'])), ENT_QUOTES));
$password = mysql_real_escape_string(htmlspecialchars(strip_tags(trim($_POST['password'])), ENT_QUOTES));

For inserting data I re-use the same mysql_real_escape_string(htmlspecialchars(strip_tags(trim(...

I feel like this is bad practice because I'm using so many functions... Is this the right way to protect against mysql injection & prevent xss injection? Or is it completely overboard? Everything works fine and nothing is broke--my question really is, am I using things that are obsolete when paired together? Is there only one function that I should use for the job?



Don't insert the password into your database as plain text... hash it and salt it... and then you don't need all those fancy htmlspecialchars and striptags for it either

Written by Mark Baker

mysql_real_escape_string() is the only necessary call here

Written by Pekka

Accepted Answer

What if I use <mysecretpassword> as a password?

It will be stripped and anyone will be able to login as me.

I think you should store the username and password as it is and do htmlspecialchars only when displaying them.

strip_tags seems to be unnecessary here at all unless you really dislike usernames like BlaBla aka Yada-Yada <C00lHax0r>

Written by Quassnoi
This page was build to provide you fast access to the question and the direct accepted answer.
The content is written by members of the community.
It is licensed under cc-wiki