Practices for getting information from $_GET/$_POST and saving it to a database?

Question

What are today\'s best practises when it comes to getting information from a get/post and saving information to a database? Is data still escaped like it used to or are there ad

Answer 1

You should never assume that information from GET or POST is properly escaped, even if you do validation on your website, javascript can be disabled and requests can be manually coded to do an SQL injection attack. Use mysql_real_escape_string() when generating your query string.

http://php.net/manual/en/function.mysql-real-escape-string.php

As far as I can tell from quickly reading up on it, HTML Purifier is to parse output from WYSIWYG editors or anywhere where you're expecting proper HTML from the user. It gives you control to disallow and filter out certain things (like scripts) and makes sure all tags are properly nested and closed. It is especially important if you're dumping the HTML into your page after reading the data back from the database.