Jump to content


This topic is now archived and is closed to further replies.


Some security issues ...

Recommended Posts

Hello all ,
I'm coding ( as a noob :)) an application to access to a mysql db to insert and search for books ..

There are two kinds of user, user and admin , authentified by a user/pass stored into the db . Admins have perm=1
and users = 0 . I have basically 2 problems . If u hit the "back" button of the browser u can get access again to the
pages visited previously by an admin o user .
Some quotes :


header("Cache-Control: no-cache, must-revalidate");
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");

if (((isset($_SESSION['user'])) &&  ($_SESSION['perms'] == 1))&& (isset($_SESSION['logged']) && $_SESSION['logged']=='1')){

This stuff works perfectly if u don't hit back button and then reload ...

Another question ... I'd like to escape the input .
Which is the better way ? Basically I need to check the user/pass and the input for inserting new books .
It's  mysql_real_escape_string() what I'm looking 4 ? or maybe addslashes() &
stripslashes() ? or escapeshellcmd can do ?

Thx in advance


Share this post

Link to post
Share on other sites
I would say something like this

$something = mysql_real_escape_string(trim(strip_tags($_POST['something'])));

Good luck,

Share this post

Link to post
Share on other sites
thx Tom !

$something = mysql_real_escape_string(trim(strip_tags($_POST['something'])));

seems  worked for INSERT , but I have problems now for the SELECT ...
If I introduce something like "L' acqua " , the for some reason don't appear in the select result ...

Any idea ?

Share this post

Link to post
Share on other sites


Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.