Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
I'm making a guestbook and for the most part I'm finished. The only thing I need to do know is make sure it's safe from attacks (which I don't think it's 100% safe).
Functions include adding a comment with name, email, homepage, comment and a no spam question must be answered. There is a database and an admin control panel that allows the admin to edit/delete comments and change a bunch of site parameters.
My question is where do I properly use htmlspecialchars and where do I use addslashes, etc? I've heard htmlspecialchars is only used when output information like <input type=text value="<?php echo $something; ?>">
okay, i get the htmlspecialchars(), but what about cleaning up post variables the user submits like username, password, comment, name, etc? These will be inserted into a database and I'm sure sql injection is a possibility.
Jcart wrote:Apply mysql_real_escape_string() and trim() on all incomming data and you should be protected from SQL injection.
Thanks. Should I htmlspecialchars() all my post vars before putting them in the database or do that when I'm outputting to the screen?... I would think doing it before I add the info to the database would be the best. What about you?