What tricks do you guys use to make sure that users dont user input boxes to compromise the security of your website?

mysql_real_escape_string prevents most kinds of sql injections, you should also validate any data a user submits.

I'm a big fan of sterilisation. The functions are serialize($var) and unserialize($var) it's quite useful. I would also reccomend you try md5/base64 something then compare it.

For forms, take a look at:
- Timestamps
- CAPACHA (sp?) - that thing where you type the words in the image.
- Checking how long a stamp takes to submit, if it's too quick ignore it.

Here is (hopefully) a helpful resource to give you some basic cleaning tools for your users input. This type of input cleaning forces the input into specific types. Would be best to used written in functions, and also allow the recursive cleaning within arrays.

PHP Code:

<?php
  
  //  Signed Integer
  //  Can be any whole number pos or neg
  $int = intval($_REQUEST['int']);
  
  //  Unsigned Integer
  //  Can be any whole number pos only
  $uint = ($uint = intval($_REQUEST['uint'])) < 0 ? 0 : $uint;
  
  //  Signed Floating Number
  //  Can be any floating (decimal) number pos or neg
  $float = floatval($_REQUEST['float']);
  
  //  Unsigned Floating Number
  //  Can be any floating (decimal) number pos only
  $ufloat = ($ufloat = intval($_REQUEST['ufloat'])) < 0 ? 0 : $ufloat;
  
  //  Boolean
  //  Will set to True or False
  $bool = (bool)$_REQUEST['bool'];
  
  //  String for possible SQL
  //  This only cleans the string, still needs to be
  //  properly escaped before submitting SQL query
  $string = trim(stripslashes($_REQUEST['string']));
  
  //  String for HTML Display
  //  Allows strings to be safely displayed on HTML pages
  //  second line helps prevent RSS attacks
  $html = htmlentities(trim(stripslashes($_REQUEST['html'])));
  $html = preg_replace(array('#javascript#i', '#vbscript#i'), array('java script', 'vb script'), $html);

Quote:

Originally Posted by rogem002

I'm a big fan of sterilisation. The functions are serialize($var) and unserialize($var) it's quite useful.

How will serialize and unserialize function will help with form security? I think you've misunderstood the purpose of those functions.

To the OP, validate user input, use mysql_real_escape or similar function for storing data in your db and use htmlentities function for displaying user generated content.

Quote:

Originally Posted by dman_2007

How will serialize and unserialize function will help with form security? I think you've misunderstood the purpose of those functions.

To the OP, validate user input, use mysql_real_escape or similar function for storing data in your db and use htmlentities function for displaying user generated content.

I don't think serialize and unseiralize were intended for this, but it has the same effect, any intended mysql injection once serialized would be to no avail.

If Im already encrypting a password with md5 I guess I dont really need this for the password but I supposed for anything SELECTED from a database I would need to and not just for inserting.

None of you guys mentioned strip_tags or w/e it is. Is that not necessary because Im using mysql_real_escape_string?