sanitizing a guestbook

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
bobo12
Forum Newbie
Posts: 18
Joined: Sun Mar 04, 2007 3:48 pm

sanitizing a guestbook

Post by bobo12 »

I'm making a guestbook and for the most part I'm finished. The only thing I need to do know is make sure it's safe from attacks (which I don't think it's 100% safe).
Functions include adding a comment with name, email, homepage, comment and a no spam question must be answered. There is a database and an admin control panel that allows the admin to edit/delete comments and change a bunch of site parameters.

My question is where do I properly use htmlspecialchars and where do I use addslashes, etc? I've heard htmlspecialchars is only used when output information like <input type=text value="<?php echo $something; ?>">

Thanks!
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

  1. htmlspecialchars() is to be used when sending any user input data to the browser. Yes, any, unless you know exactly what you're doing.
  2. addslashes() should never be used, ever.
bobo12
Forum Newbie
Posts: 18
Joined: Sun Mar 04, 2007 3:48 pm

Post by bobo12 »

okay, i get the htmlspecialchars(), but what about cleaning up post variables the user submits like username, password, comment, name, etc? These will be inserted into a database and I'm sure sql injection is a possibility.

THanks.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Apply mysql_real_escape_string() and trim() on all incomming data and you should be protected from SQL injection.
bobo12
Forum Newbie
Posts: 18
Joined: Sun Mar 04, 2007 3:48 pm

Post by bobo12 »

Jcart wrote:Apply mysql_real_escape_string() and trim() on all incomming data and you should be protected from SQL injection.
Thanks. Should I htmlspecialchars() all my post vars before putting them in the database or do that when I'm outputting to the screen?... I would think doing it before I add the info to the database would be the best. What about you?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

The answer to that is specified in my previous reply.
Post Reply