aim25 Posted June 23, 2008 Share Posted June 23, 2008 Hey, I'm working on a registration script. But as i went through i started thinking about security. So i searched it and i got a few commands. - mysql_real_escape_string() - magic_quotes_gpc() I'm not sure how these work, and which one is better. But I've been advised that i have to use addslashes() with magic_quotes_gpc. Then I also saw things like str_replace() being used, and other ways of taking the "magic quotes" out of the string. So whats the best way to protect against sql injections? Quote Link to comment Share on other sites More sharing options...
DeanWhitehouse Posted June 23, 2008 Share Posted June 23, 2008 mysql_real_escape_string Quote Link to comment Share on other sites More sharing options...
bluejay002 Posted June 23, 2008 Share Posted June 23, 2008 sql injections? i myself is a newbie... but i do some stuffs: i sanitize the input fields with only valid characters expected. using mysql_real_escape_string() before storing data is also nice, so please do. someone advised also to use sprintf() before the whole query string itself... you might want also to strip tags (XSS) if some characters are just too necessary, just in case. am only using adslashes when necessary on a certain field, that is if the field contain characters that needs to be slashed. Quote Link to comment Share on other sites More sharing options...
DeanWhitehouse Posted June 23, 2008 Share Posted June 23, 2008 to protect from XSS (i think) use htmlspecialchars or htmlentities can't remeber which.soz. Quote Link to comment Share on other sites More sharing options...
gijew Posted June 23, 2008 Share Posted June 23, 2008 A few things I'm doing when I'm writing forms are: - check input is what you expect __ example: name contains only alpha chars, email is formatted properly, etc. You don't need things like *^% or whatever most of the time. - limit the amount of characters__example: names don't need 255 characters to be valid. shorten it up to 30-40. - strip code out of every string (unless you want it)__example: strip_tags($string). There are better (longer and more involved) ways to do this as well. - get rid of whitespace, etc__example: trim($string) - when inserting numerical strings into a table I don't escape them__example: insert into table (integer_field) values (1) - it was explained to me way back when that when you DON'T escape the query will fail if you get anything except numerical input. I could probably go on and on but those will help quite a bit. Do a few searches on Google for PHP security and form validation. There is an absolute wealth of info out there and it can only help...and confuse Good luck! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.