behzad Posted August 28, 2007 Share Posted August 28, 2007 ??? Security Q Can Please Someone Put Me In A Right Direction, Things I need to make sure that are secure and the correct way of doing are: The secure way of Sending variable to another page (e.g. xyz_page.php?var1=info ) The secure way of collecting above received variable The secure way of getting data out of mysql table "Query" (e.g. Seen some like variables in '{$var1}' or some ' $var1' or '{$HTTP_POST_VARS($Var1)}' I see all types of different way programmers doing it, but as a newbie I am not sure which way is to go and the updated secure way. Could someone briefly explain please? I make the program work, but not sure if it is secure or the right way. Thanks Quote Link to comment Share on other sites More sharing options...
Asperon Posted August 28, 2007 Share Posted August 28, 2007 a good way to do all of that is to use $_SESSION variables, to transfer the data between pages, on a form, if the information is sensitive, then don't use $_GET, use $_POST, because POST from a form is not displayed in the browsers address bar. As for your database, set up a user with limited privilages for the everyday user and a full privilage user that and admin like you would use. http://www.w3schools.com/php/php_sessions.asp http://us.php.net/manual/en/ref.session.php Quote Link to comment Share on other sites More sharing options...
Fadion Posted August 28, 2007 Share Posted August 28, 2007 For forms use post and if those data are going to be inserted in a database (which mostly is the case) u basically need two functions to prevent xss and sql injections: $myVar = htmlentities(mysql_real_escape_string($_POST['myvar'])); The same involves get variables and theres no security risk setting them, u just need to sanitize input when u retrive them. For extended security, u can test their length or type. Lets say u are passing: index.php?id=10 and u know that id cant be other then a number and its length not more then 3, so u do: $id = htmlentities(mysql_real_escape_string($_GET['id'])); if(!is_numeric($id) and strlen($id) > 3){ die('The id is invalid'); } //the rest of the code Theres no risk in getting data from mysql as long as input is sanitized with the above methods. The curly braces {} are mainly used when having arrays like: "SELECT * FROM table WHERE id='{$values['id']}'" so u won't have parse errors for repeating single quotes. In most cases they are used for keeping track of variables inside strings. Quote Link to comment Share on other sites More sharing options...
behzad Posted August 28, 2007 Author Share Posted August 28, 2007 Thanks Guys Really, it is great to see people taking time to helping others like me. I am humbled. Behzad Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.