elis Posted November 11, 2007 Share Posted November 11, 2007 I have a fairly quick question. I'm still working learning PHP security features and though I've visited several of websites about the issue. However, I'm still slightly confused. My question is this, if I use: $value = trim(htmlentities(strip_tags(mysql_real_escape_string($_POST['value'])))); Is this correct? If not could you please point me in the right direction. Quote Link to comment Share on other sites More sharing options...
elis Posted November 11, 2007 Author Share Posted November 11, 2007 Also, should this be done with all form fields, even if they're dropdown or radio? Quote Link to comment Share on other sites More sharing options...
L Posted November 11, 2007 Share Posted November 11, 2007 I got another security question...(sry to intrude but its better than making another topic) Should I encrypt my sessions so no one could duplicate them and try to log in as the admin[if possible] ? Quote Link to comment Share on other sites More sharing options...
Daukan Posted November 11, 2007 Share Posted November 11, 2007 If you are putting a string into a database and don't accept html <?php $value = mysql_real_escape_string(strip_tags(trim($_POST['value']) ) ); ?> How you validate and sanitize really depends on what, where and how you are using the data. If you don't accept html you might want to tell the user <?php if(strip_tags($_POST['value']) != $_POST['value']) { echo 'error message'; //redisplay form exit(); } ?> Yes validate drop down, checkboxs anything from post, get, cookie or request data. If you have a radio form you could use an array to validate <?php $good_radio_input = array('yes','no', 'maybe so'); if(!in_array($_POST['value']) ) { //do error handling } ?> Quote Link to comment Share on other sites More sharing options...
Daukan Posted November 11, 2007 Share Posted November 11, 2007 I got another security question...(sry to intrude but its better than making another topic) Should I encrypt my sessions so no one could duplicate them and try to log in as the admin[if possible] ? I don't think its necessary. If your really paranoid you can change the session var every page change/refresh but even that is overkill most of the time. Quote Link to comment Share on other sites More sharing options...
L Posted November 11, 2007 Share Posted November 11, 2007 Sweet thanks a lot! Quote Link to comment Share on other sites More sharing options...
elis Posted November 13, 2007 Author Share Posted November 13, 2007 If you are putting a string into a database and don't accept html <?php $value = mysql_real_escape_string(strip_tags(trim($_POST['value']) ) ); ?> How you validate and sanitize really depends on what, where and how you are using the data. If you don't accept html you might want to tell the user <?php if(strip_tags($_POST['value']) != $_POST['value']) { echo 'error message'; //redisplay form exit(); } ?> Yes validate drop down, checkboxs anything from post, get, cookie or request data. If you have a radio form you could use an array to validate <?php $good_radio_input = array('yes','no', 'maybe so'); if(!in_array($_POST['value']) ) { //do error handling } ?> Okay, thank you. I'll add the bottom code in for radio boxes and so fourth. So the top code should suffice for all the $_post[value]? Quote Link to comment Share on other sites More sharing options...
elis Posted November 13, 2007 Author Share Posted November 13, 2007 anyone? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.