I am still pretty new to PHP/MYSQL. I want to make a very very simple forum, mostly to learn from. I have been reading articles on PHP security, but each time it seems to add more questions and makes me want to hide under my bed.
I guess I have two concerns.
I striptags() on all form input, and it is my understanding that PHP is escaping automatically. This will be put into MYSQL.
However, sould I also be using the mysql escape functions before I enter it into the db? Or is striptags enough?
The second is all this stuff about header injections.
If my 'TOPIC' list titles have links to show the TOPIC with a thread_id in the URL, do I need to striptags and verify that it is still an integer before I pass it to MYSQL to get the list of messages?
I guess what I am asking, is, do you verify URL variables created by PHP on your site from page to page.
Is there a standard set of functions you can include to do this?
Thanks
James MacLeod
Am I insane to try and make my own forum?
Moderator: General Moderators
mysql_real_escape_string on all input going into the database.
striptags is used when taking data OUT of the database, not while putting it in.
Yes, verify ALL input from $_COOKIE, $_GET, $_POST, $_SERVER... don't trust any of it.
A year and a half ago, I tried to create my own CMS / Blog / Forum system, and I learned a LOT from it. I learned OOP, found Unit Testing, learned how sessions work, learned a lot about htaccess and mod_rewrite, and so many other things. Although I never completed it, it was certainly worth my time - things you learn from experience stick around a lot better than things you read.
The single most important thing I learned, however, was keep things simple. Don't plan out an elaborate system with all of the features you could possibly think of. Do strip the requirements down to the bare minimum: registration, login / logout, manage profile, view list of forums, view list of topics in forum, view topic, post topic / reply to topic will be plenty to keep you busy for a while.
If you don't keep things down the bare minimum, you will burn out, give up, and be frustrated. Keeping things simple gives you a feeling of accomplishment, and allows you to have a "working product" while allowing you to add in more features later.
You may want to look into unit testing (I use SimpleTest), but I won't push it on you. It took me a while to become comfortable with it. It's a complete u-turn from the "standard" programming practice. It saves a lot of time, though, and you'll be a lot more confident in the quality of your work.
Good luck!
- Nathaniel
striptags is used when taking data OUT of the database, not while putting it in.
Yes, verify ALL input from $_COOKIE, $_GET, $_POST, $_SERVER... don't trust any of it.
A year and a half ago, I tried to create my own CMS / Blog / Forum system, and I learned a LOT from it. I learned OOP, found Unit Testing, learned how sessions work, learned a lot about htaccess and mod_rewrite, and so many other things. Although I never completed it, it was certainly worth my time - things you learn from experience stick around a lot better than things you read.
The single most important thing I learned, however, was keep things simple. Don't plan out an elaborate system with all of the features you could possibly think of. Do strip the requirements down to the bare minimum: registration, login / logout, manage profile, view list of forums, view list of topics in forum, view topic, post topic / reply to topic will be plenty to keep you busy for a while.
If you don't keep things down the bare minimum, you will burn out, give up, and be frustrated. Keeping things simple gives you a feeling of accomplishment, and allows you to have a "working product" while allowing you to add in more features later.
You may want to look into unit testing (I use SimpleTest), but I won't push it on you. It took me a while to become comfortable with it. It's a complete u-turn from the "standard" programming practice. It saves a lot of time, though, and you'll be a lot more confident in the quality of your work.
Good luck!
- Nathaniel
Nathaniel wrote:mysql_real_escape_string on all input going into the database.
striptags is used when taking data OUT of the database, not while putting it in.
Yes, verify ALL input from $_COOKIE, $_GET, $_POST, $_SERVER... don't trust any of it.
A year and a half ago, I tried to create my own CMS / Blog / Forum system, and I learned a LOT from it. I learned OOP, found Unit Testing, learned how sessions work, learned a lot about htaccess and mod_rewrite, and so many other things. Although I never completed it, it was certainly worth my time - things you learn from experience stick around a lot better than things you read.
The single most important thing I learned, however, was keep things simple. Don't plan out an elaborate system with all of the features you could possibly think of. Do strip the requirements down to the bare minimum: registration, login / logout, manage profile, view list of forums, view list of topics in forum, view topic, post topic / reply to topic will be plenty to keep you busy for a while.
If you don't keep things down the bare minimum, you will burn out, give up, and be frustrated. Keeping things simple gives you a feeling of accomplishment, and allows you to have a "working product" while allowing you to add in more features later.
You may want to look into unit testing (I use SimpleTest), but I won't push it on you. It took me a while to become comfortable with it. It's a complete u-turn from the "standard" programming practice. It saves a lot of time, though, and you'll be a lot more confident in the quality of your work.
Good luck!
- Nathaniel
Fantastic, thanks for the help. I will check into the Unit Testing, as of writing this I have no idea what it even is! LOL.