PHP Security

[c_pattle]

I have just made a couple of forms that submit data to a mysql database.  I was wondering what measures I need to make to in order to keep the whole thing very secure.  At the moment I have stripped the inputs of tags and forward slashes.  Is there anything else I should do?

 

Also some field in the form allow the user to enter a url.  With these fields I have not stripped them of forward slashes.  Is this a bad idea?  Should I do something like replace the forward slashes with something else and then reverse this process every time I extract that data from the database?

[Gighalen]

You can never be too safe with stripping stuff out of data submitted to a database. I've personally never built an application that handled URLs, but I might suggest  using str_replace to replace all the / in urls with a '-', then use the same str_replace function when you output the data to replace the '-'s with /. I hope that makes sense.

[Pikachu2000]

Replacing slashes is pointless, and very likely to cause problems when retrieved. If you use the proper escape function before inserting them, you'll be fine. For string type data, it will be mysql_real_escape_string() (or mysqli_real_escape_string(), if you use the improved extensions). For numeric data types, they should be validated and cast as the appropriate type, be it integer, float, decimal, etc.

[c_pattle]

Thanks.  Is it okay to put "^" in databases?

[Pikachu2000]

Of course it is. Databases would be pretty useless if you couldn't store a full character set in them. The fact that a character is in a database doesn't make it a vulnerability. It's the actual process of how it's inserted or displayed that can be present a problem.

[c_pattle]

Cool.  Thanks for all your help