PHP Security

[sh0wtym3]

My website was recently hacked, so I learned the hard way that you can't leave PHP vulnerability issues on the backburner.

 

I've been reading up on PHP security (here on phpfreaks.com actually), and I need to "clean" any data being sent to my server, before it is sent. What would be the best way (or combination of ways) to accomplish this?

 

There's mysql_real_escape_string to escape form data

 

There's strip_tags to remove <> tags and anything inside them

 

There's eregi to only allow certain characters

 

Should I use all of these together, and is there any useful functions I might be missing?

[redarrow]

you need to valadate all posting information, to a database with,

 

preg_match or preg_match_all

 

you also need to protect the database with mysql_real_escape_string() that it.

 

unless it a distribution project.

 

then you use more validation functions

 

the more you validate information the less your get hacked.

[sh0wtym3]

Thanks for the input, I will use both preg_match and mysql_real_escape_string from now on

[xtopolis]

I would like to add, that most of what you described is only bad if the code is executed with the improper input.

 

another function:

html_entities

 

other client side deterrents:

-form fields that match input type

-limiting length of input