Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    Regular Coder
    Join Date
    Feb 2007
    Posts
    217
    Thanks
    25
    Thanked 1 Time in 1 Post

    securing form values

    I'm looking for ways to protect my site against possible hackers.

    I've got a form with some textfields and textareas, is it enough to:"

    - mysql_real_escape_string() every post value before entering it into a db
    - htmlentities() before outputting it

    Is it necessary to use stripslashes as well? Cause that would alter entered slashes from the user.

  • #2
    Banned
    Join Date
    Apr 2011
    Posts
    656
    Thanks
    14
    Thanked 69 Times in 69 Posts
    Validating user inputs on the server is really a "must do".

    Before processing any user inputs, make sure they contain only valid characters and nothing else. Then pass the validated input to the sql query via mysql_real_escape_string. There is no need for stripslashes in this case

  • #3
    Regular Coder
    Join Date
    Feb 2007
    Posts
    217
    Thanks
    25
    Thanked 1 Time in 1 Post
    Thanks, can you tell me what kind of things I should validate on, I've got a textarea where people can fill in lots of text. I dunno what hackers would use to hack it.

  • #4
    Banned
    Join Date
    Apr 2011
    Posts
    656
    Thanks
    14
    Thanked 69 Times in 69 Posts
    This is a popular page showing how hackers can use sql injection to corrupt or at least get data from an unprotected database.

    But validating data is not only about helping ward off attacks. It's also about maintaining the integrity of the data in your database. For example, if the data in a database table column should only contain letters then you should validate that user input and reject any user input for that column that contains characters other that letters.

    Whatever you do, don't fall into the trap of validating user inputs only on the client side using javascript because it can very easily be bypassed by switching off javascript in the browser.
    Last edited by webdev1958; 08-22-2011 at 01:18 PM.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •