can we compile a list here on how to make form values most secure and "stylish"? I mean general texts submitted via forms being inserted into a database.
I'd suggest always going with this for example:
<input type="name" blabla>
and then in the script:
$name = (!empty($HTTP_POST_VARS['name'])) ? trim($HTTP_POST_VARS['name']) : ' '; // or $_POST
function verify($string)
{
// looking for hacking attempts (using ; , " or ' in forms)
$err = (!substr_count($s, "\;") > 0) ? 0 : 1;
$err = (!substr_count($s, "\"") > 0) ? 0 : 1;
$err = (!substr_count($ns, "''") > 0) ? 0 : 1;
if($err == 1) return FALSE;
else return TRUE;
}
if(verify($name) == FALSE) die("Hacking attempt! have to go!");
any comments and suggestions appreciated.
security of forms
Moderator: General Moderators
-
DarkAngelBGE
- Forum Newbie
- Posts: 8
- Joined: Wed Feb 19, 2003 8:58 am
security of forms
Last edited by DarkAngelBGE on Fri Feb 21, 2003 5:01 am, edited 1 time in total.
- twigletmac
- Her Royal Site Adminness
- Posts: 5371
- Joined: Tue Apr 23, 2002 2:21 am
- Location: Essex, UK
-
DarkAngelBGE
- Forum Newbie
- Posts: 8
- Joined: Wed Feb 19, 2003 8:58 am
I found out that this:
can be replaced by this here:
notice mysql_escaped_string..it will put an backslash in front of all ", ' etc. which is great!
Code: Select all
$name = (!empty($HTTP_POST_VARSї'name'])) ? trim($HTTP_POST_VARSї'name']) : ' '; // or $_POST
function verify($string)
{
// looking for hacking attempts (using ; , " or ' in forms)
$err = (!substr_count($s, "\;") > 0) ? 0 : 1;
$err = (!substr_count($s, """) > 0) ? 0 : 1;
$err = (!substr_count($ns, "''") > 0) ? 0 : 1;
if($err == 1) return FALSE;
else return TRUE;
}
if(verify($name) == FALSE) die("Hacking attempt! have to go!");Code: Select all
$name = (!empty($HTTP_POST_VARSї'name'])) ? trim(mysql_escaped_string$HTTP_POST_VARSї'name'])) : ' '; // or $_POST