Is this a bit overboard or am I doing the right thing?
Question by Kyle
For logging in:
$username = mysql_real_escape_string(htmlspecialchars(strip_tags(trim($_POST['username'])), ENT_QUOTES));
$password = mysql_real_escape_string(htmlspecialchars(strip_tags(trim($_POST['password'])), ENT_QUOTES));
For inserting data I re-use the same mysql_real_escape_string(htmlspecialchars(strip_tags(trim(...
I feel like this is bad practice because I’m using so many functions… Is this the right way to protect against mysql injection & prevent xss injection? Or is it completely overboard? Everything works fine and nothing is broke–my question really is, am I using things that are obsolete when paired together? Is there only one function that I should use for the job?
Thanks.
Answer by Quassnoi
What if I use <mysecretpassword> as a password?
It will be stripped and anyone will be able to login as me.
I think you should store the username and password as it is and do htmlspecialchars only when displaying them.
strip_tags seems to be unnecessary here at all unless you really dislike usernames like BlaBla aka Yada-Yada <C00lHax0r>
Answer by Starx
Here is what is suggested by most of the answers.
$username = mysql_real_escape_string(trim($_POST['username']));
$password = md5("mysalt".mysql_real_escape_string(trim($_POST['password'])));
