Forum Moderators: coopster
this is what i have done so far to ensure security
1) all values are POST
2) the mysql user who inserts the values of the textarea into the db can only INSERT
3) i have replaced characters such as $ and = with harmless ones ('$', with '$ ', '=' with 'equals')
4) i use striptags() and htmlentities()
4) all reviews have to be manually before being published online
is there anything else i should do - the more i think about it, the more i think just point 2) is enough to ensure total data integrity, but i am just learning, so would really appreciate some other tips on keeping security tight.
i have read a lot about php security online but most of the $variable checking involves emails, or simple strings. the reviews in question can be many words long, and natural english includes many special characters which i am not keen to disallow because it would always return an error and frustrate the user.
any tips are much appreciated
cheers!
i have magic_quotes on so isn't this unnecessary?
remember to turn off register_globals as well :)
not sure what everyone has against magic quotes, yours is not the first comment i have read online ;-) but i couldn't find anything directly related to security.
i have seen recommendations to check whether magic quotes is on or off and return code accordingly, but we have our own server which i have set up.
register globals is of course off! ;-)
cheers for feedback!
And that's just the beginning :)
The main issues are they take the control away from you... for example, they assume you don't want to do SQL injection... when from time to time you _do_ - i've used it purposely before.
