Forum Moderators: phranque
ASP Best Practice
Remove the single quote from all form data sent either by GET pr POST
var = Replace(Request.Form("formelement"), "'", "''")
If it is only ever going to be a numeric field use ISNUMERIC() function.
PHP Best Practice
As with ASP remove the single quote “ ’ ”.
Use regex to validate input.
[webmasterworld.com...] (me again)
[sitepoint.com...]
Now I know I have only just touched on this but it is something that we should all be aware of and take steps to ensure we don’t give ourselves any more grief than necessary.
Does anyone care to share function or code snippets to help out.
What issues do you see with certain word stripping, cross site scripting.... the list goes on. Can we compile a list of security issues. Go on you know it makes sense.
I work with jsp mainly so I've got a javabean which I use with forms. All user input is parsed with this bean when the form 'action' page receives it. To catch sql injection it just removes any character which matches one from an array (there's a few other symbols in there too for other uses):
private final static char [] symbols = {'-', '/', ';', ':', '\'', '\\', '"', '+', '<', '>', '%'};
Then on the db side of things, I set up specific users in mysql with only the privileges they need, eg, if its pages which just display product listings say, the user which those pages connect to the db with has read only priviledges only on the tables it needs to access.
