Am I insane to try and make my own forum?
Posted: Thu Apr 06, 2006 11:41 am
I am still pretty new to PHP/MYSQL. I want to make a very very simple forum, mostly to learn from. I have been reading articles on PHP security, but each time it seems to add more questions and makes me want to hide under my bed.
I guess I have two concerns.
I striptags() on all form input, and it is my understanding that PHP is escaping automatically. This will be put into MYSQL.
However, sould I also be using the mysql escape functions before I enter it into the db? Or is striptags enough?
The second is all this stuff about header injections.
If my 'TOPIC' list titles have links to show the TOPIC with a thread_id in the URL, do I need to striptags and verify that it is still an integer before I pass it to MYSQL to get the list of messages?
I guess what I am asking, is, do you verify URL variables created by PHP on your site from page to page.
Is there a standard set of functions you can include to do this?
Thanks
James MacLeod
I guess I have two concerns.
I striptags() on all form input, and it is my understanding that PHP is escaping automatically. This will be put into MYSQL.
However, sould I also be using the mysql escape functions before I enter it into the db? Or is striptags enough?
The second is all this stuff about header injections.
If my 'TOPIC' list titles have links to show the TOPIC with a thread_id in the URL, do I need to striptags and verify that it is still an integer before I pass it to MYSQL to get the list of messages?
I guess what I am asking, is, do you verify URL variables created by PHP on your site from page to page.
Is there a standard set of functions you can include to do this?
Thanks
James MacLeod