On my registration form I have four inputs:
username
password
email address
web address
Can't figure which off all available sanitizing methods is really needed:
strip_tags()
substr()
mysql_real_escape_string()
trim()
htmlentities()
addslashes()
. . . (you may add more)
Somewhere I found that a function is a must have, somewhere this function is declared as deprecated or less valuable the another one ...
Could someone be so kind to create a list of priorities for all four inputs above.
Note: PDO - prepared statements are already used for communication with database.
First you need to be clear about hat for you like to sanitize.
Because you use allready prepared statements there is no need for: mysql_real_escape_string()
If you like to deny you users the use of html, to avoid XSS you should perhaps use strip_tags()
To secure your html display agains not printable characters htmlentities() But in times of UTF-8 its a little obsolet.
For password input it can be used trim() because it helps if youser copys passwords with leading / attached space. Because outlook add spaces. But not everybody think this is an good idea, to trim passwords.
Depends on your Templating system it could be an good idea to use addslashes() for pre defined input values like
<input type="text" value="<?php addslashes($value); ?>" />
because it could be possible to do:
my value " /><script>evil things</script><
To have some kind of XSS in autocomplete forms.
In a few words:
When you add your data to database - use PDO's prepared statements with placeholders. That's it, nothing else is required.
When you output something from anywhere on the html page - you need to perform htmlspecialchars($string, ENT_QUOTES, 'UTF-8');, where the $string is the string you want to output in a "safe" manner.