[thelist] Keeping PHP forms secure
Nan Harbison
nan at nanharbison.com
Fri Aug 3 15:15:19 CDT 2007
Thanks Andrew.
I would never have thought to check the data, I was only checking for empty
fields that are required. And I will use htmlentities.
Nan
-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On Behalf Of Andrew Kamm
Sent: Friday, August 03, 2007 3:51 PM
To: thelist at lists.evolt.org
Subject: Re: [thelist] Keeping PHP forms secure
> Is this enough to keep the database safe from attack? It seems like
> there should more to this but I have googled and didn't find anything.
For the most part, but you may also want run a 'sanity check' on individual
fields to make sure they're appropriate and that someone isn't trying to
manipulate your application while trolling for holes.
If you're getting a paragraph of text when the field requires only an
integer, there's something wrong.
You also want to protect your app when you display user-entered data by
using htmlentities() (to prevent XSS attacks).
ak
--
* * Please support the community that supports you. * *
http://evolt.org/help_support_evolt/
For unsubscribe and other options, including the Tip Harvester and archives
of thelist go to: http://lists.evolt.org Workers of the Web, evolt !
More information about the thelist
mailing list