[thelist] Form Security
Ken Schaefer
Ken at adOpenStatic.com
Wed Jul 21 11:31:23 CDT 2010
www.owasp.org (open web application security project) is a great starting place for understanding the threats you face on the internet. SQL Injection, XSS, replay attacks etc. The OWASP Security Guide is a good single resource that gives a summary of what you need to know to start understanding why you are doing what you are doing.
Cheers
Ken
-----Original Message-----
From: thelist-bounces at lists.evolt.org [mailto:thelist-bounces at lists.evolt.org] On Behalf Of DAVOUD TOHIDY
Sent: Wednesday, 21 July 2010 4:31 AM
To: thelist at lists.evolt.org
Subject: Re: [thelist] Form Security
> I can only verify it's a valid card (using security code or zip code).
> I can't ask them "Did you steal this credit card?" and expect a
> truthful response if they did ;).
Actually through a search I came across the following pdf file:
http://dev.mysql.com/tech-resources/articles/guide-to-php-security-ch3.pdf
>From what I see on the page 2 of the above pdf file considering the following statement:
"However, before calling a database's own escaping mechanism, it's important to check the state of magic quotes. If magic quotes is enabled, remove any backslashes (\) it may have added;otherwise, the input will be doubly-escaped, effectively corrupting it (because it differs from the input supplied by the user)."
I need to change the code to :
if (get_magic_quotes_gpc()) {
$name = stripslashes($_POST['name']);
}
$name = mysql_real_escape_string(strip_tags(htmlentities(trim($name))));
Could you correct me if I am wrong please?
thanks
davoud
More information about the thelist
mailing list