I would like to use string vars on a safe but universal way for using them in PHP code such as the example below. i've seen htmlspecialchars() but i don't think it's the best i can get for what i need. and mysql functions are definetly not a solution (things like mysql_real_escape_string are deprecated anyway).
what do you guys think would be the best solution for following situation:
$password = $_POST['password'];
$password_check = $_POST['password_check'];
//make $password and $password_check safe
if($password != $password_check)
{
$errors[] = 'The two passwords did not match';
}
thanks
So what if mysql_() is about to get deprecated? PHP has other options like mysqli_() and PDO
$password = mysqli_real_escape_string($connect, $_POST['password']);
$password_check = mysqli_real_escape_string($connect, $_POST['password_check']);
//make $password and $password_check safe
if($password != $password_check) {
$errors[] = 'The two passwords did not match';
}
I am not sure of the need to escape for injection here, in that you are doing nothing other than comparing two posted values. Whether or not the strings are sanitized at this point doesn't make a whole lot of difference in comparing their equivalence.
Of course, if you then use the values to query against the database you would need to escape with mysqli_real_escape_string and/or utilize prepared statements to project against SQL injection.
Another sanitation consideration you might have here is in the case that mismatched passwords would be pre-populated back into the form for correction. In this scenario, you would need to sanitize against XSS attacks.