zGrassman Posted October 11, 2007 Share Posted October 11, 2007 is strip_slashes() good enough to use to stop sql or php or html manipulation entered in to a html form post box? I understand there is still JS issues that i haven't looked into yet and url manipulation with mysql. Any short advise on those topics are appreciated but for now im just worried about html forms. Is killing slashes suffice? I know with a comma you can allow certain tags for certain situations. the form is username and password login and register for now, i havent used it anywhere else yet just so you have an idea what im working with. Quote Link to comment Share on other sites More sharing options...
littledragon Posted October 11, 2007 Share Posted October 11, 2007 Um, strip_slashes removes slashes, no? You mean magic_quotes? have a look at http://www.phpfreaks.com/forums/index.php/topic,159839.0.html and many other topics in this forum Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted October 12, 2007 Share Posted October 12, 2007 no gah *beats both of you* what you need is trim and strip_tags Quote Link to comment Share on other sites More sharing options...
zGrassman Posted October 12, 2007 Author Share Posted October 12, 2007 that is what i ment...strip_tags...oops? that is what i ment from the beginning so ill ask my question again only this time correctly is strip_tags() good enough to use to stop sql or php or html manipulation entered in to a html form post box? My bad.... LOL Quote Link to comment Share on other sites More sharing options...
sneamia Posted October 12, 2007 Share Posted October 12, 2007 htmlentities() mebbe? Quote Link to comment Share on other sites More sharing options...
zGrassman Posted October 12, 2007 Author Share Posted October 12, 2007 htmlentities() mebbe? You know what? that is pretty cool...i checked on php.net what it was about and i like this one better. At least with this one if i was to log a page I could tell if someone was trying to put crazyness into my forms. while the other one would just strip it. Im sure i could assign a seperate var before i strip the tags and then store it in a text file or maybe break it somehow...so it wouldnt be dangerous. but would just using strip_tags() be suffice or would i still be open to attacks. i dont want a whole lot of string functions when there is no need..i understand its all based on what you want your form to do or process i just wanted a general idea. thanks for the info on that function tho i really like it Quote Link to comment Share on other sites More sharing options...
sneamia Posted October 12, 2007 Share Posted October 12, 2007 foreach ($_REQUEST as $key => $value) { $_REQUEST[$key] = htmlentities($value); } This is what I have in the beginning of every page that has GET/POST variables pass through. Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted October 12, 2007 Share Posted October 12, 2007 If you really want to know about PHP security, read the PHP Security Guide Ken Quote Link to comment Share on other sites More sharing options...
zGrassman Posted October 12, 2007 Author Share Posted October 12, 2007 If you really want to know about PHP security, read the PHP Security Guide Ken OWNED lol pays to read i guess...ty = ) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.