PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
It is currently Fri Jun 05, 2020 2:32 am

All times are UTC - 5 hours

Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Sat Jan 28, 2012 9:01 am 
Forum Newbie

Joined: Mon Jun 14, 2010 2:37 am
Posts: 7
I've developed a sort of a web application that allows users to register themselves and then post articles. And, since I need to accept data from users and then interact with database, sql injection bothers me a lot.

First of all, let me tell what I've done for security right now.

I've escaped all inputs. But, to remain further safe, I allow only certain characters in a field. A server-side validation checks that. The following is a list of fields and what characters I accept for example.

During registration:
[list=]Name(alphabets and period)[/list]
[list=]Username(alphanumeric characters, underscore and period)[/list]
[list=]Password(alphanumeric characters, underscore and period)[/list]
[list=]Phone(numbers only)[/list]
[list=]Address(alpha-numeric, comma and period)[/list]

See how funny thing I've done. I mean I allow only alphanumeric, underscore and period in password making the passwords insecure by myself. :banghead:

But, I can't find anything else to secure my application. I know password isn't an issue because irrespective of the characters entered, they will be hashed. So, I guess, I can accept any character. But, the main issue is for other fields. All these ridiculous validation, I guess, irritates my users to every bit.

But, the saddest thing starts when a user wants to post an article. For posting an article, there are 4 fields that need to be filled; Title, Summary, Article and Tags.

Just imagine how annoying it must be when the Title allows nothing but alphabets, space and numbers(!,? also). And, the field "Summary" also accepts the same as the Title. And, all this simply so that I can secure the web application! Ridiculous, isn't it?

For the article field, I've used ckeditor(). So, I haven't done anything as I guess it does the escaping, converting to HTMLchars and all by itself.

Now, the article field accepts Unicode characters(I mean characters in other scripts) but the title and summary doesn't. And, most of my users don't publish in English. So, in a way, the application is being useless.

So, this is basically an issue of making it user-friendly vs. security. I know there are other much better ways of ensuring security than what I've done and that's what I wanna ask you people.

I was thinking that since I don't "Select" any data on any of the above parameters(title, tags, summary, address), I can simply escape the characters and convert them to HTMLchars if they are printed on a page somewhere. But I'm not so sure if that much will be secure enough. Will it?

So, this is all! I just need something stronger to prevent SQL injection(and XSS). I know that using Prepared Statements or PDO is the best thing to do. But, I'm an extremely new beginner in all this and I can't find any simple tutorial. If you know of any, it'd be really kind of you to tell me.

Yeah! That's all! And, one more thing, most of my users don't seem to activate their account(through the email the application sends). But, I guess, that's vital to verify the email. So, is there anything that can be done? Any better idea?

P.S.: I use SQL and not SQLi. And, if I need to convert my app. from sql to sqli, can I use some sort of scripts? I came across one at .

Sorry for my poor English and hope someone will help!

PostPosted: Sun Jan 29, 2012 4:36 pm 
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za

“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering

PostPosted: Sun Jan 29, 2012 8:18 pm 
Forum Regular
User avatar

Joined: Wed Mar 05, 2008 11:23 pm
Posts: 732
Location: Sunriver, OR

PostPosted: Tue Jan 31, 2012 5:39 am 
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
Depending on how badly the code is written, you can have SQL injection with only alphanumerics, no need for a quote.
Read my article linked in my signature on details.

Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC - 5 hours

Who is online

Users browsing this forum: No registered users and 9 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group