Jump to content

Strip_Tags, Mysql_real_escape_string, htmlentities, etc.

Elivmar
 Share

Recommended Posts

Elivmar Newbie

Elivmar

Posted
Posted

So now I'm getting the point in coding PHP where I realize how many ways there is for someone to get around security. Half of my codes consist of security :/. So, do any of you experienced programmers know if any of the above is better than the other? For maximum security should I use Strip Tags, Mysql_real_escape_string, and all the other different security codes? Or would just one cover basically all security breaches? Or a certain two? Can I get any recomondations so I don't forget things while coding or put un-needed security into my scripts?

 

Thanks

-Elivmar

Link to comment
Share on other sites
andy Newbie

andy

Posted
Posted
Or would just one cover basically all security breaches?

Of course not!

 

You use whichever technique applies to your situation.

 

The first thing you do is validate input data. If you expect it to conform to a certian pattern you make sure it does. For intance if you are allowing someone to enter an email address you make sure they can only enter a valid email address. And make sure they haven't put a newline character in it (google: header injection http://www.google.co.uk/search?q=header+injection )

 

If you expect a number check it really is a number. If they are enterng something that should be positive make sure it really is positive.

 

After you've varified all input data to the fullest extent you can perform any operations you want to on it.

 

Then you come to output it, this is where you do your escaping. (using the data in an SQL query counts as output because the data goes somewhere else).

 

At which point you perform escaping in accordance with what you are trying to do.

If you are using it in a mySQL query then use a mySQL escaping function, if you are putting it in a HTML page ue either HTML entities, or HTML special chars (be careful with quote characters, not all of them are escaped by default).

 

Remember if you pull something out of your database that was orriginally input by the user and you are going to put it in a webpage it still needs to be escaped as the mySQL escaping was only used to get the data into the DB.

 

You might want to Google for "PHP Security"

 

Andy

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...