No checks are needed. PHP automatically escapes single quotes for MySQL queries assuming you have magic_quotes_gpc on, which means that if you want to send the same thing by email using PHP's mail() function you just have to call stripslashes() on the data. There are no magical characters that will let someone escape out of either scenario.
-Rasmus On Mon, 19 Aug 2002, Steven wrote: > After searching Google, reading the PHP manual, PHP mailing list archives, > looking for clues on SANS and Security Focus, I have yet to find an answer > to my question. > > I have a section in a form for a user to enter comments and or questions. > What should I be checking for, from a security standpoint, with my PHP > script? The information will be both inserted into a database (MySQL) and > sent via email. > > I have found examples for items such as phone numbers, addresses, email, > etc., but nothing in regards to comments. > > Any direction would be greatly appreciated. > > Thank you, > Steven > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
