Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    ubh
    ubh is offline
    Regular Coder ubh's Avatar
    Join Date
    Apr 2008
    Location
    Portland, Oregon U.S.A.
    Posts
    443
    Thanks
    108
    Thanked 15 Times in 14 Posts

    Quick security questions

    I have been requested by quite a few of my readers to write up a tutorial on how to create a seamless Ajax comment box. Personally the extent of my security is I run any string being sent to MySQL through a mysql_real_escape_string to remove any harmful use of characters to attack the database.

    Now I have quite a few readers and I don't want to send them down the path of an insecure method. Should I be concerned about taking further action to make things more secure before teaching my readers? If so what other security measures should I be aware of?

    Any feedback is much appreciated.

  • #2
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    Validate the data coming in making sure its not invalid data such as being blank or something that shouldn't be there. One of the things you usually learn in programming any language is you can never trust the user so you must take the steps necessary to make sure they don't mess things up. This is done by validation of the data being posted. You could even implement something to prevent spam but that might be a little much but its up to you.
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • #3
    ubh
    ubh is offline
    Regular Coder ubh's Avatar
    Join Date
    Apr 2008
    Location
    Portland, Oregon U.S.A.
    Posts
    443
    Thanks
    108
    Thanked 15 Times in 14 Posts
    Yeah I figured as much, validation on client and server side is a given. Client side to make sure data is true and valid. Server side to remove spam or foul language for this scenario, but I guess I am just concerned about database attacks and making sure I have covered all my bases.

    Thanks _Aerospace_Eng_

  • #4
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    Quote Originally Posted by ubh View Post
    Yeah I figured as much, validation on client and server side is a given. Client side to make sure data is true and valid. Server side to remove spam or foul language for this scenario, but I guess I am just concerned about database attacks and making sure I have covered all my bases.

    Thanks _Aerospace_Eng_
    mysql_real_escape_string should be enough. Be sure to stripslashes if magic_quotes are enabled. You could also look into prepared statements and the use of sprintf for your queries.

    http://dev.mysql.com/tech-resources/...tatements.html
    http://www.talkphp.com/general/1062-...s-sprintf.html
    ||||If you are getting paid to do a job, don't ask for help on it!||||


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •