View Full Version : securing form values

08-22-2011, 01:01 PM
I'm looking for ways to protect my site against possible hackers.

I've got a form with some textfields and textareas, is it enough to:"

- mysql_real_escape_string() every post value before entering it into a db
- htmlentities() before outputting it

Is it necessary to use stripslashes as well? Cause that would alter entered slashes from the user.

08-22-2011, 01:05 PM
Validating user inputs on the server is really a "must do".

Before processing any user inputs, make sure they contain only valid characters and nothing else. Then pass the validated input to the sql query via mysql_real_escape_string. There is no need for stripslashes in this case

08-22-2011, 02:06 PM
Thanks, can you tell me what kind of things I should validate on, I've got a textarea where people can fill in lots of text. I dunno what hackers would use to hack it.

08-22-2011, 02:16 PM
This is a popular page showing how hackers can use sql injection (http://unixwiz.net/techtips/sql-injection.html) to corrupt or at least get data from an unprotected database.

But validating data is not only about helping ward off attacks. It's also about maintaining the integrity of the data in your database. For example, if the data in a database table column should only contain letters then you should validate that user input and reject any user input for that column that contains characters other that letters.

Whatever you do, don't fall into the trap of validating user inputs only on the client side using javascript because it can very easily be bypassed by switching off javascript in the browser.