[thelist] Keeping PHP forms secure

Nan Harbison nan at nanharbison.com
Fri Aug 3 15:15:19 CDT 2007

Thanks Andrew. 

I would never have thought to check the data, I was only checking for empty
fields that are required. And I will use htmlentities.


-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On Behalf Of Andrew Kamm
Sent: Friday, August 03, 2007 3:51 PM
To: thelist at lists.evolt.org
Subject: Re: [thelist] Keeping PHP forms secure

> Is this enough to keep the database safe from attack? It seems like 
> there should more to this but I have googled and didn't find anything.

For the most part, but you may also want run a 'sanity check' on individual
fields to make sure they're appropriate and that someone isn't trying to
manipulate your application while trolling for holes.
If you're getting a paragraph of text when the field requires only an
integer, there's something wrong.

You also want to protect your app when you display user-entered data by
using htmlentities() (to prevent XSS attacks).


* * Please support the community that supports you.  * *

For unsubscribe and other options, including the Tip Harvester and archives
of thelist go to: http://lists.evolt.org Workers of the Web, evolt ! 

More information about the thelist mailing list