Tycoon Talk
Become a Big fish!
The number 1 forum for online business!
Post topics, ask questions, share your knowledge.
Tycoon Talk is part of Freelancer.com - find skilled workers online at a fraction of the cost.

PHP Forum


You are currently viewing our PHP Forum as a guest. Please register to participate.
Login


Tycoon Talk > Web Development and Programming Support > PHP Forum > Security Help

Freelance Jobs

Reply
Security Help
Old 04-05-2010, 07:17 PM Security Help
millwalll's Avatar
Webmaster Talker

Posts: 674
Name: James
Location: KENT
Trades: 3
Talkupation: millwalll will become famous soon enough
Hi all,

I just had one question what the best way to take input from a form and make sure its secure as I been doing bit research and so far I found stuff like

stripslashes
mysqli_real_escape_string
strip_tags
htmlentities

whats the best or is it case of using them all ??
__________________

Please login or register to view this content. Registration is FREE
millwalll is offline
Reply With Quote
View Public Profile Visit millwalll's homepage!
 
 
Register now for full access!
Old 04-05-2010, 07:24 PM Re: Security Help
tripy's Avatar
Do not try this at home!

Latest Blog Post:
GooTrans, a cross-platform python frontend to Goog...
Posts: 3,621
Name: Thierry
Location: I'm the uber Spaminator !
Trades: 0
Talkupation: tripy has a reputation beyond reputetripy has a reputation beyond reputetripy has a reputation beyond reputetripy has a reputation beyond reputetripy has a reputation beyond reputetripy has a reputation beyond reputetripy has a reputation beyond reputetripy has a reputation beyond reputetripy has a reputation beyond reputetripy has a reputation beyond reputetripy has a reputation beyond repute
Well, they all do different things, and you should read the manual to understand what they do.
All of them are used to avoid at the highest possible factor sql injection, but they are not security related in any way.

If you want a for secure, then only use an SSL enabled site.
Do not store unencrypted password.
Encrypt them with a non reversible algorithm, and use a different seed for each users.
Challenge every action the user can make.
Prevent form forging by using a hash in each form, that would change on every page access. Then a user could not simply send a form from nowhere and gain access, he would need to go through your pages to do so.

Making a system secure is not done by using a given function, but by making the most complicated possible to people trying to get in without the right informations.
__________________
Only a biker knows why a dog sticks his head out the window.
tripy is offline
Reply With Quote
View Public Profile Visit tripy's homepage!
 
Old 04-05-2010, 07:43 PM Re: Security Help
millwalll's Avatar
Webmaster Talker

Posts: 674
Name: James
Location: KENT
Trades: 3
Talkupation: millwalll will become famous soon enough
Hi thanks the reason I asked if I am reading a book on PHP and MYSQL and it says that you should use mysqli_real_escape_string on any input from a form.
__________________

Please login or register to view this content. Registration is FREE
millwalll is offline
Reply With Quote
View Public Profile Visit millwalll's homepage!
 
Old 04-05-2010, 09:24 PM Re: Security Help
tripy's Avatar
Do not try this at home!

Latest Blog Post:
GooTrans, a cross-platform python frontend to Goog...
Posts: 3,621
Name: Thierry
Location: I'm the uber Spaminator !
Trades: 0
Talkupation: tripy has a reputation beyond reputetripy has a reputation beyond reputetripy has a reputation beyond reputetripy has a reputation beyond reputetripy has a reputation beyond reputetripy has a reputation beyond reputetripy has a reputation beyond reputetripy has a reputation beyond reputetripy has a reputation beyond reputetripy has a reputation beyond reputetripy has a reputation beyond repute
Like I said, real_escape_String is just a function that prevent sql injection.
Using it don't make a form secure.
And beside, and a lot of people don't realize this, you must have an open connection to a mysql db to use this.
Otherwise, you will get back an empty string.
http://www.php.net/manual/en/functio...ape-string.php
Quote:
Notes
Note: A MySQL connection is required before using mysql_real_escape_string() otherwise an error of level E_WARNING is generated, and FALSE is returned. If link_identifier isn't defined, the last MySQL connection is used.

Note: If magic_quotes_gpc is enabled, first apply stripslashes() to the data. Using this function on data which has already been escaped will escape the data twice.

Note: If this function is not used to escape data, the query is vulnerable to SQL Injection Attacks.


__________________
Only a biker knows why a dog sticks his head out the window.
tripy is offline
Reply With Quote
View Public Profile Visit tripy's homepage!
 
Reply     « Reply to Security Help
 
Previous Thread | Next Thread Tycoon Talk > Web Development and Programming Support > PHP Forum > Security Help

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off




   
RSS Feed  Feeds: RSS   JS   XML
RSS Feed  Feeds for this forum: RSS   JS   XML



Page generated in 0.21322 seconds with 12 queries