security of forms

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
DarkAngelBGE
Forum Newbie
Posts: 8
Joined: Wed Feb 19, 2003 8:58 am

security of forms

Post by DarkAngelBGE »

can we compile a list here on how to make form values most secure and "stylish"? I mean general texts submitted via forms being inserted into a database.


I'd suggest always going with this for example:

<input type="name" blabla>

and then in the script:

$name = (!empty($HTTP_POST_VARS['name'])) ? trim($HTTP_POST_VARS['name']) : ' '; // or $_POST

function verify($string)
{
// looking for hacking attempts (using ; , " or ' in forms)
$err = (!substr_count($s, "\;") > 0) ? 0 : 1;
$err = (!substr_count($s, "\"") > 0) ? 0 : 1;
$err = (!substr_count($ns, "''") > 0) ? 0 : 1;

if($err == 1) return FALSE;
else return TRUE;
}

if(verify($name) == FALSE) die("Hacking attempt! have to go!");


any comments and suggestions appreciated.
Last edited by DarkAngelBGE on Fri Feb 21, 2003 5:01 am, edited 1 time in total.
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

I tend to trim() the user input before testing it with the empty() function.

Mac
DarkAngelBGE
Forum Newbie
Posts: 8
Joined: Wed Feb 19, 2003 8:58 am

Post by DarkAngelBGE »

I found out that this:

Code: Select all

$name = (!empty($HTTP_POST_VARS&#1111;'name'])) ? trim($HTTP_POST_VARS&#1111;'name']) : ' '; // or $_POST 

function verify($string) 
&#123; 
// looking for hacking attempts (using ; , " or ' in forms) 
$err = (!substr_count($s, "\;") > 0) ? 0 : 1; 
$err = (!substr_count($s, """) > 0) ? 0 : 1; 
$err = (!substr_count($ns, "''") > 0) ? 0 : 1; 

if($err == 1) return FALSE; 
else return TRUE; 
&#125; 

if(verify($name) == FALSE) die("Hacking attempt! have to go!");
can be replaced by this here:

Code: Select all

$name = (!empty($HTTP_POST_VARS&#1111;'name'])) ? trim(mysql_escaped_string$HTTP_POST_VARS&#1111;'name'])) : ' '; // or $_POST
notice mysql_escaped_string..it will put an backslash in front of all ", ' etc. which is great!
Post Reply