Only using strip_tags before inserting to DB? What about escaping quotes?
I really want to get to the bottom of this; this has bothered me for a while. I'm guessing that the answer is something so simple and obvious that it's right in front of me somewhere.
But I gotta know!
So, for example:
Page 84, Chapter 4, Code snippet boj-meta-box.php
Why is strip_tags() the only measure being taken to sanitize data before running update_post_meta()? What about escaping quotes? Doesn't strip_tags() still leave you vulnerable to SQL injection?
Last edited by scottfennell; April 13th, 2012 at 07:28 PM.