Possible hacks?

[vic vance]

Hey, I am going to code a forum in PHP. I am not exactly aware of secuity measures, the only thing I know is to use POST form submission. Is there anything else that I need to be aware of?

 

Please help, thank you.

[AyKay47]

1. escape all user data before using in an SQL statement using mysql_real_escape_string (assuming your db server is MySQL). This will prevent SQL injection and XSS. however it is preferred to use PDO with prepared statements.

 

2. Do not use $_SERVER['PHP_SELF'] as a forms action, this will leave your forms open to XSS.

 

3. Make sure files and directories have the proper permissions so user cannot view and/or tamper with them.

 

There is a list of things that you can do for added security, I'm sure other users will list more. I will leave you with some reading from php.net on the security subject: http://php.net/manual/en/security.php

[requinix]

Off the top of my sleep deprived head (I'm at 21 hours I think):

SQL injection, XSS injection, cross-site request forgery, SSL, and encryption practices to start. There are also a few nuances with PHP like the downsides of loose typing, how form variables are strings, scalars versus arrays from forms and how PHP can barf on them.

[vic vance]

thank you