probably simple questions

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
ekosoftco
Forum Contributor
Posts: 108
Joined: Fri Aug 04, 2006 8:21 pm

probably simple questions

Post by ekosoftco »

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


i was just wondering if anyone could help me out with how to use
htmlentities()

and, for sql injection, i know its not a good topic to bring up, but is

Code: Select all

<?php 
$page= mysql_real_escape_string ($_GET['page']);
$res= mysql_query("SELECT FROM table_with_pages WHERE page_id='{$page}' LIMIT 1");
?>
the best way to be safe when querying a database?

and....are those two things all i have to worry about with xss and injection and is that the best way to be secure with the above examples?

and... :) is there any other securities i should worry about?


feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

htmlentities() and its cousin htmlspecialchars() have no baring on information going into a database. They would only be used on information coming out for display in an HTML page.

Provided you are consistent in how you write your queries (like right now) mysql_real_escape_string() is generally all you need to ensure there is no injection, however there is often added things such as filtering and validation which are field/data specific.
Post Reply