$data = addslashes($data);
$data = strip_tags(htmlspecialchars($data));
$data = mysql_real_escape_string($data);
I use it as such
$var = xssfilter($_POST['var']);
Does this look secure enough?
Moderator: General Moderators
social_experiment wrote:If you are going to use the code, get rid of the magic quotes checks and apply filtering regardless of it; magic_quotes_gpc has been deprecated and shouldn't be relied upon at all.
Mordred wrote:htmlspecialchars($data) is insufficient protection when used in attribute context.
Users browsing this forum: No registered users and 3 guests