Page 1 of 1

security of forms

Posted: Wed Feb 19, 2003 1:42 pm
by DarkAngelBGE
can we compile a list here on how to make form values most secure and "stylish"? I mean general texts submitted via forms being inserted into a database.


I'd suggest always going with this for example:

<input type="name" blabla>

and then in the script:

$name = (!empty($HTTP_POST_VARS['name'])) ? trim($HTTP_POST_VARS['name']) : ' '; // or $_POST

function verify($string)
{
// looking for hacking attempts (using ; , " or ' in forms)
$err = (!substr_count($s, "\;") > 0) ? 0 : 1;
$err = (!substr_count($s, "\"") > 0) ? 0 : 1;
$err = (!substr_count($ns, "''") > 0) ? 0 : 1;

if($err == 1) return FALSE;
else return TRUE;
}

if(verify($name) == FALSE) die("Hacking attempt! have to go!");


any comments and suggestions appreciated.

Posted: Fri Feb 21, 2003 3:17 am
by twigletmac
I tend to trim() the user input before testing it with the empty() function.

Mac

Posted: Fri Feb 21, 2003 5:03 am
by DarkAngelBGE
I found out that this:

Code: Select all

$name = (!empty($HTTP_POST_VARS&#1111;'name'])) ? trim($HTTP_POST_VARS&#1111;'name']) : ' '; // or $_POST 

function verify($string) 
&#123; 
// looking for hacking attempts (using ; , " or ' in forms) 
$err = (!substr_count($s, "\;") > 0) ? 0 : 1; 
$err = (!substr_count($s, """) > 0) ? 0 : 1; 
$err = (!substr_count($ns, "''") > 0) ? 0 : 1; 

if($err == 1) return FALSE; 
else return TRUE; 
&#125; 

if(verify($name) == FALSE) die("Hacking attempt! have to go!");
can be replaced by this here:

Code: Select all

$name = (!empty($HTTP_POST_VARS&#1111;'name'])) ? trim(mysql_escaped_string$HTTP_POST_VARS&#1111;'name'])) : ' '; // or $_POST
notice mysql_escaped_string..it will put an backslash in front of all ", ' etc. which is great!