Securing my site.

[scottnicol]

I understand encryption and so on, and am now making my encryption method have double salts from separate tables, and also completely random at user registration. I realized that if people were to type in <?php mysql_query(blablabla); ?> and delete a load of stuff, it would mess me about (or am I just being skeptical?). How can I strip all input/post of php tags, or rather stop it from executing (comments section of a blog).

[RaythMistwalker]

//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
	$str = @trim($str);
	if(get_magic_quotes_gpc()) {
		$str = stripslashes($str);
	}
	return mysql_real_escape_string($str);
}

This will clean stuff out of stuff and prevent mysql injection

[roopurt18]

Are you calling eval() on user input?  If not, then it doesn't matter if they input PHP code into the comments section on a blog.

 

All you need to do is:

 

1) When inserting data into the database, use mysql_real_escape_string() (or the appropriate function for your database)

2) When displaying data, call striptags(), htmlentities(), or some other escaping function so that potentially dangerous input from one user is not sent to another user.

[scottnicol]

Cheers. I will be using those functions on all inputs. Better make a function to do sanitize text all in one go .

 

Thanks again!

[roopurt18]

You can not sanitize data all in one go.

 

Use mysql_real_escape_string() when inserting the data or the appropriate escape function for your database.

 

Use an appropriate escaping function such as striptags() or htmlentities() after selecting data from the database and before sending it to the user's browser.

 

Do it any other way and your site will be vulnerable to attacks.

[scottnicol]

I'll be making two functions, one for the mysql input, and one for the htmlentities.