c_pattle Posted October 16, 2010 Share Posted October 16, 2010 I have just made a couple of forms that submit data to a mysql database. I was wondering what measures I need to make to in order to keep the whole thing very secure. At the moment I have stripped the inputs of tags and forward slashes. Is there anything else I should do? Also some field in the form allow the user to enter a url. With these fields I have not stripped them of forward slashes. Is this a bad idea? Should I do something like replace the forward slashes with something else and then reverse this process every time I extract that data from the database? Quote Link to comment Share on other sites More sharing options...
Gighalen Posted October 16, 2010 Share Posted October 16, 2010 You can never be too safe with stripping stuff out of data submitted to a database. I've personally never built an application that handled URLs, but I might suggest using str_replace to replace all the / in urls with a '-', then use the same str_replace function when you output the data to replace the '-'s with /. I hope that makes sense. Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted October 16, 2010 Share Posted October 16, 2010 Replacing slashes is pointless, and very likely to cause problems when retrieved. If you use the proper escape function before inserting them, you'll be fine. For string type data, it will be mysql_real_escape_string() (or mysqli_real_escape_string(), if you use the improved extensions). For numeric data types, they should be validated and cast as the appropriate type, be it integer, float, decimal, etc. Quote Link to comment Share on other sites More sharing options...
c_pattle Posted October 16, 2010 Author Share Posted October 16, 2010 Thanks. Is it okay to put "^" in databases? Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted October 16, 2010 Share Posted October 16, 2010 Of course it is. Databases would be pretty useless if you couldn't store a full character set in them. The fact that a character is in a database doesn't make it a vulnerability. It's the actual process of how it's inserted or displayed that can be present a problem. Quote Link to comment Share on other sites More sharing options...
c_pattle Posted October 16, 2010 Author Share Posted October 16, 2010 Cool. Thanks for all your help Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.