[thelist] Form Security

Bill Moseley moseley at hank.org
Thu Jul 15 15:31:26 CDT 2010


On Thu, Jul 15, 2010 at 1:19 PM, DAVOUD TOHIDY <dtohidy at hotmail.com> wrote:

>
> Hi there,
>
> I am working on my employer's site. I have a search engine and Contact
> form. I have taken all the steps that I am aware of to tighten the security
> such as using :
>
> $name =
> mysql_real_escape_string(strip_tags(stripslashes(htmlentities(trim($_POST['name'])))));
>

That looks painful.

I validate all user input, but just for basic values that makes sense for
the application.  Integers are integers, and text is, well, just about
everything else, for example.    But, all user data is escaped any place it
is rendered -- not on input because I don't know what the output device will
be.

Besides, who are we to say what characters someone can use for their name?
 I know for a fact (by looking in our db) that there's a lot of people
named "; rm -r *" and "; drop table users;".



-- 
Bill Moseley
moseley at hank.org


More information about the thelist mailing list