Forum Moderators: coopster
What measures do you take to before inserting a record into database to eliminate sql injections and other potential security hazards?
1.strip_tags : seems this will take care of removing html, php tags, but wouldn’t remove things like javascript?
2.better yet perhaps remove everything between any < and >
3.including sql statements into text input: how would you detect a sql presence in a text?
What other dangers can be present in text input? How do you deal with them? what is your php/mysql checklist?
There must be a php class doing this already, if you know one what is it?
I usually trim, strip_tags and mysql_real_escape_string
you can do a strip for everything between <script and </script>
You can have an allowed set of chars as well, that all depends on understanding what data would be "normal" for your application
>> perhaps remove everything between any < and >
watch that one as I just used those chars properly above. If you were expecting people to submit mathematical equations or code then that would also be a problem
the big thing is to have your standard safeguards, then to profile your expected input, what will users be submitting, and then see if you can have extra rules
I don't actually believe in cleaning data. I validate it, if it doesn't pass then you throw it back to the user to correct. There isn't much point in trying to correct their mistakes, let them do it. It helps to educate them as well.
also don't be overly verbose in your error messages, tell them what they need to know but don't give too much info in case you give a potential hacker extra info.
I also like to log all failures, it helps me to see what my script is doing and helps me better profile what may, or may not, need to be done.
I will also implement mysql_real_escape_string.
