PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Sun Jul 05, 2020 11:26 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Sun Nov 20, 2011 2:01 pm 
Offline
Forum Newbie

Joined: Sun Nov 20, 2011 1:46 pm
Posts: 3
Good day, and thank you in advance for all of you brilliant and experienced programmers that can help me. I build websites for very small clients... some have things like event calendars with user registrations for the event. So, I am getting warnings for SQL injection errors, and most of my dreamweaver extensions do not include any security except the (get_real_escape...) tag on the main event registration form. I have gone to the cheat sheet for escaping characters, but I really do not know where to include this code in my input forms. Syntax? Proper ordering? Will it disable other functions on the page? Thanks so much for your help.


Top
 Profile  
 
PostPosted: Sun Nov 20, 2011 9:57 pm 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6425
Location: Montreal, Canada
Well, what have you tried? Show us some code and we can better offer pointers. Here's pointer #1: get a proper IDE.

_________________


Top
 Profile  
 
PostPosted: Mon Nov 21, 2011 10:43 am 
Offline
Forum Newbie

Joined: Sun Nov 20, 2011 1:46 pm
Posts: 3
Hi - Thanks. That is a great idea. For the moment, though, I am just a designer using Dreamweaver and extensions.


Top
 Profile  
 
PostPosted: Mon Nov 21, 2011 10:58 am 
Offline
Forum Regular
User avatar

Joined: Tue Sep 28, 2010 11:41 am
Posts: 984
Location: Columbus, Ohio
For the following, when I say "data", I am referring to information that came from a form, passed via QueryString and/or previous data loaded back in from a database (Edit: and the other things listed in my last line below)

I keep Data in variables to always be the "raw" data (nothing escaped, converted to entities, etc)

For putting data into the database, use mysql_real_escape_string() (or prepared statements via PDO) *Note*, if it is a value going to a field that only holds integers, I will generally use (int) in front of it to force PHP to treat the data as an integer. ex.
Syntax: [ Download ] [ Hide ]
$intPK = (isset($_GET['pk']) ? (int)$_GET['pk'] : 0;

For displaying the data on the website (or to be used in a form's value="" attribute), use htmlspecialchars()

For using data as part of a querystring in a link, use urlencode

Remember the golden rule for handling data with PHP: NEVER trust anything that comes from the client. Examples: $_POST, $_GET, $_COOKIE, $_SERVER['HTTP_REFERER'], $_SERVER['PHP_SELF'], $_SERVER['HTTP_USER_AGENT']


Top
 Profile  
 
PostPosted: Mon Nov 21, 2011 12:25 pm 
Offline
Forum Newbie

Joined: Sun Nov 20, 2011 1:46 pm
Posts: 3
Thank you twin


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 10 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group