| Author |
Message |
Desbrina
Jadeite
Joined: 11 Jun 2005
Posts: 2972
Location: Earth
|
 Posted: Mon Dec 03, 2007 4:27 pm Post subject: best way to protect script |
 |
|
I'm writing a script and part of it allows the user to customise their page.
Now i dont want the user to be able to use any type of sql, since all the sql they need is included in a function
Whats the best way of stopping them inserting sql, or telling them to remove it before it'll save
_________________
Midnight Tempest - A Sailor Moon TCG
Balanced Force - A Star Wars TCG |
|
| Back to top |
|
| |
ClickFanatic
Est. 2005
Joined: 18 Jan 2005
Posts: 3926
Location: A particular geographic area
|
| Posted: Mon Dec 03, 2007 6:01 pm Post subject: |
|
|
mysql_real_escape_string() on all input is the easiest way. You could do some validation as well, depending on the expected type of input (for example: only alphanumeric characters in a name, only numbers for an age, etc.)
However, that one function should protect you from SQL injection.
What you also need to worry about is HTML insertion. Since you will be allowing people to customise their page, you don't want to allow much or any HTML. When properly inserted, some HTML with a bit of Javascript can steal a cookie and put the user account at risk.
You might want to use strip_tags() or html_special_chars() on the input, too.
Check the PHP manual to see what they do. 
_________________
Captain Jell-O Buster from the Future
[img]http://feeds.feedburner.com/sparepencil.1.gif[/img] |
|
| Back to top |
|
| |
hellonull
Novice Poster
Joined: 08 Jul 2005
Posts: 39
Location: vor dem Computer.
|
| Posted: Mon Dec 17, 2007 1:37 am Post subject: |
|
|
| A combination of sprintf() and mysql_real_escape_string(). See the latter's page in the PHP manual for an example of how to use the two together. |
|
| Back to top |
|
| |
|
|
|
Forum FAQs 
Knowledge Base 
Memberlist 
Usergroups 
Hosting
Register
Donate 
Profile 
Log in 
