unistake Posted November 18, 2010 Share Posted November 18, 2010 Hi all, I have heard stories that hackers/viruses or basically something that you don't want uploaded to a server through a website form have been able to type some sort of code in to a html form field to access information. I know how to control the length of fields, how to validate that an email address is in the correct format etc. - but when it comes to having a textfield for the user to add up to 2000 characters of their own words, how can I protect from malicious code being inserted? The textfield is located inside the user area but anyone can join, so anyone ultimately can enter code! Thanks for the help. Quote Link to comment Share on other sites More sharing options...
Rifts Posted November 18, 2010 Share Posted November 18, 2010 stripslashes() and htmlspecialchars() Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted November 18, 2010 Share Posted November 18, 2010 Without knowing how the data in that field will be used, there's no way to answer the question with any degree of accuracy. Will it be inserted into a database, added to a file, redisplayed immediately, or . . . ? Quote Link to comment Share on other sites More sharing options...
unistake Posted November 18, 2010 Author Share Posted November 18, 2010 it will be stored in a mysql database and then displayed when called for in php. Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted November 18, 2010 Share Posted November 18, 2010 Since it's string data, you'll want to use mysql_real_escape_string() (or mysqli_real_escape_string if you're using the mysqli extensions) to escape characters that would be used in sql injection attacks. Note that you need a connection established to the database for mysql_real_escape_string() to work. mysql_connect( details, etc.); $textarea = mysql_real_escape_string($_POST['textarea']); "INSERT INTO table (field) VALUES ($textarea)"; When you retrieve and display the data, that is when you'd need to use a function such as htmlentities(), and/or possibly strip_tags() to help prevent XSS exploits. Quote Link to comment Share on other sites More sharing options...
unistake Posted November 18, 2010 Author Share Posted November 18, 2010 Thanks Pika, I will give that a go when I need it soon. do you know of any articles on these attacks, I would like to know more for security? Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted November 18, 2010 Share Posted November 18, 2010 If you just google preventing SQL injection and preventing XSS, you should get plenty of results. you can always questions here, too. Quote Link to comment Share on other sites More sharing options...
unistake Posted November 19, 2010 Author Share Posted November 19, 2010 thanks Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.