aim25 Posted June 23, 2008 Share Posted June 23, 2008 Hey, I'm working on a registration script. But as i went through i started thinking about security. So i searched it and i got a few commands. - mysql_real_escape_string() - magic_quotes_gpc() I'm not sure how these work, and which one is better. But I've been advised that i have to use addslashes() with magic_quotes_gpc. Then I also saw things like str_replace() being used, and other ways of taking the "magic quotes" out of the string. So whats the best way to protect against sql injections? Link to comment https://forums.phpfreaks.com/topic/111421-need-some-advice/ Share on other sites More sharing options...
DeanWhitehouse Posted June 23, 2008 Share Posted June 23, 2008 mysql_real_escape_string Link to comment https://forums.phpfreaks.com/topic/111421-need-some-advice/#findComment-571940 Share on other sites More sharing options...
bluejay002 Posted June 23, 2008 Share Posted June 23, 2008 sql injections? i myself is a newbie... but i do some stuffs: i sanitize the input fields with only valid characters expected. using mysql_real_escape_string() before storing data is also nice, so please do. someone advised also to use sprintf() before the whole query string itself... you might want also to strip tags (XSS) if some characters are just too necessary, just in case. am only using adslashes when necessary on a certain field, that is if the field contain characters that needs to be slashed. Link to comment https://forums.phpfreaks.com/topic/111421-need-some-advice/#findComment-571942 Share on other sites More sharing options...
DeanWhitehouse Posted June 23, 2008 Share Posted June 23, 2008 to protect from XSS (i think) use htmlspecialchars or htmlentities can't remeber which.soz. Link to comment https://forums.phpfreaks.com/topic/111421-need-some-advice/#findComment-571948 Share on other sites More sharing options...
gijew Posted June 23, 2008 Share Posted June 23, 2008 A few things I'm doing when I'm writing forms are: - check input is what you expect __ example: name contains only alpha chars, email is formatted properly, etc. You don't need things like *^% or whatever most of the time. - limit the amount of characters__example: names don't need 255 characters to be valid. shorten it up to 30-40. - strip code out of every string (unless you want it)__example: strip_tags($string). There are better (longer and more involved) ways to do this as well. - get rid of whitespace, etc__example: trim($string) - when inserting numerical strings into a table I don't escape them__example: insert into table (integer_field) values (1) - it was explained to me way back when that when you DON'T escape the query will fail if you get anything except numerical input. I could probably go on and on but those will help quite a bit. Do a few searches on Google for PHP security and form validation. There is an absolute wealth of info out there and it can only help...and confuse Good luck! Link to comment https://forums.phpfreaks.com/topic/111421-need-some-advice/#findComment-571964 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.