php form submit security 1

[theEclipse]

I know that in perl, it is a security risk not to escape characters like % $ ect.....in order to prevent against form hacks.

Any suggestions as to what I should be testing for in my php form to databases.

Robert

Robert Carpenter
/b{2}|!b{2}/ - that is the question...

http://www.toyboxhosting.com

robert@convertingchaos.com

http://www.convertingchaos.com

 

[jamesp0tter]

dunno. but, you can always use functions already existing that escape all the needed chars, like htmlspecialchars(transforms all unusual chars into their html notation), addslashes(escapes unusual chars), urlencode(transforms unusual chars into their hex/url notation), etc. just start giving a look at those functions in php.net and you should find your way

jamesp0tter,
mr.jamespotter@gmail.com

p.s.: sorry for my (sometimes) bad english

 

[DRJ478]

There are special escape function, e.g. mysql_escape_string(). The PHP manual states that:

Using mysql_real_escape_string() around each variable prevents SQL Injection.

As for parameters that will be passed to any kind of shell (exec, passthru etc.) there is escapeshellcmd() to render injected meta chars harmelss.

But, in general, you would do anything that you do in Perl like input data validation (most important). Never trust user input until it is carefully validated.

 

[theEclipse]

awesome...I knew php had some built in functionality to help with that....

thanks guys.

Robert Carpenter
/b{2}|!b{2}/ - that is the question...

http://www.toyboxhosting.com

robert@convertingchaos.com

http://www.convertingchaos.com

 

[Olavxxx]

use striptags too, to strip unwanted tags and/or javascript.


Olav Alexander Mjelde

http://www.volvo-power.net

Admin & Webmaster