Hello there,
For one, if a user entered troublesome characters like single quote without escaping, whatever database operation you are trying to do will fail, which could cause unexpected problems.
Another thing is that if this is for something like forum scripts like this one where the user input will be displayed to the public, you should pay attention to malicious codes. For instance, adding <pre> or something would make your site look really ugly. Worse, if someone tries inserting malicious javascript, your site could become a gateway to information theft, etc (you can see <pre>'s < and > got escaped with htmlentities()) or something in here).
Quote:
|
How can I make it more secure?
|
At the very least, you should escape the troublesome characters in the data input with addslashes(). If, however, your php's magic_quotes_gpc is true, then GET, POST, and COOKIE will be automatically addslashes()-ed, so do not worry about this or you would be adding two more unnecessary slashes. Nevertheless, just because it is true today doesn't mean it will stay the same tomorrow - especially if you are staying with a shared host, so check this value first with get_magic_quotes_gpc().
Simple example would be:
The above will get all your POSTed values into $a_post, addslashes()-ed. You can come up with your own, depending on your script's needs.
Good luck!