Jump to content

Archived

This topic is now archived and is closed to further replies.

enkidu72

Some security issues ...

Recommended Posts

Hello all ,
I'm coding ( as a noob :)) an application to access to a mysql db to insert and search for books ..

There are two kinds of user, user and admin , authentified by a user/pass stored into the db . Admins have perm=1
and users = 0 . I have basically 2 problems . If u hit the "back" button of the browser u can get access again to the
pages visited previously by an admin o user .
Some quotes :

<?
session_start();

header("Cache-Control: no-cache, must-revalidate");
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
?>

---------------
if (((isset($_SESSION['user'])) &&  ($_SESSION['perms'] == 1))&& (isset($_SESSION['logged']) && $_SESSION['logged']=='1')){


This stuff works perfectly if u don't hit back button and then reload ...

Another question ... I'd like to escape the input .
Which is the better way ? Basically I need to check the user/pass and the input for inserting new books .
It's  mysql_real_escape_string() what I'm looking 4 ? or maybe addslashes() &
stripslashes() ? or escapeshellcmd can do ?

Thx in advance

David






Share this post


Link to post
Share on other sites
I would say something like this

[code=php:0]
$something = mysql_real_escape_string(trim(strip_tags($_POST['something'])));
[/code]

Good luck,
Tom

Share this post


Link to post
Share on other sites
thx Tom !

$something = mysql_real_escape_string(trim(strip_tags($_POST['something'])));

seems  worked for INSERT , but I have problems now for the SELECT ...
If I introduce something like "L' acqua " , the for some reason don't appear in the select result ...

Any idea ?

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.