Hi I need some advice on how to secure my webpage that I had recently made. The site enables users to post messages to a messageboard, however after I go back to view the website there are several messages appearing in the DB about prescription drugs and its getting annoying coz I have to delete those messages all the time. How can I secure the DB so that this doesn't occur? Any solutions welcome... DB I'm using is mysql.

Sounds like a robot is posting them... a couple things you can do...

1. look into using captcha (http://www.captcha.net/) to prevent bots from submitting.

2. do not allow code in your input. Reject characters such as the <> signs or turn them into html special characters.

3. change all outputted data from you db using htmlentities() (http://php.net/manual/en/function.htmlentities.php) so if bad data is inputted it will not display the way they intended.

Where do I start? I suppose using captcha would be the easiest one to implement. I have no checks to prevent all this happening from the form page. Thx.

Can't really help you on the captcha part I never have used it I just know what it is for. The others are pretty simple to implement.


// Start a variable to check for input errors.
$error = FALSE;
$message = '';
// Make sure only letters, numbers, and spaces are allowed... this will eliminate any special characters.
if ((isset ($_POST['text'])) && (preg_match ('|^[[:alnum:][:space:]]+$|i', $_POST['text']))) {
$text = $_POST['text'];
}
else {
$message .= 'Please be sure to only input numbers, letters, and spaces.<br />';
$error = TRUE;
}

if ($error == FALSE) {
// Insert text into database.
}
else {
echo $message;
}

// Then when you output the data from your database use this.
echo htmlentities($data_to_display);


If some punctuation is needed than just convert the <> signs. I believe this will work on most codes. Change the check to something like this:

if ((isset ($_POST['text'])) && (!empty($_POST['text']))) {
$text = preg_replace ('|<|', '&lt;', $_POST['text']);
$text = preg_replace ('|>|', '&gt;', $text);
}
else {
$message .= 'Please be sure to only input numbers, letters, and spaces.<br />';
$error = TRUE;
}

// Then when you output you need to add an extra step to reconvert these to the proper html entity.
$data_to_display = htmlentities($data_to_display);
$data_to_display = preg_replace ('|&amp;gt;|i', '&lt;', $data_to_display);
echo preg_replace ('|&amp;lt;|i', '&lt;', $data_to_display);

Thats ok. I'm reading the documentation on how to implement it into my website. Just gonna cut and paste code from there and pray that it works...

so far so good thanks again