Is there any security measures I could take to make sure that the data the user is submitting (to be stored in the database) is not malicious?well it depends on what you see as malicious... but i suppose, one start could be to strip PHP and HTML tags using strip_tags()
Usage of strip_tags:
string strip_tags ( string str [, string allowable_tags])
or see: <!-- m --><a class="postlink" href="http://nz.php.net/manual/en/function.strip-tags.php">http://nz.php.net/manual/en/function.strip-tags.php</a><!-- m -->
Hope that helps
--EDIT--
You also may want to change < and > and other HTML chars to entities (eg, < and >), by using the function htmlentities() (<!-- m --><a class="postlink" href="http://nz.php.net/manual/en/function.htmlentities.php">http://nz.php.net/manual/en/function.htmlentities.php</a><!-- m -->)
Usage of htmlentities:
string htmlentities ( string string [, int quote_style [, string charset]])--EDIT--
You also may want to change < and > and other HTML chars to entities (eg, < and >, by using the function htmlentities()
Usage of htmlentities:
string htmlentities ( string string [, int quote_style [, string charset]])
definitely do that. i used strip_tags for one of my shoutbox, and someone decided it would be funny to put a bunch of 's
one problem with strip_tags however is that it seems to return a blank post if they DID use HTML, so you need to also trim() whenever you output, and if the trimmed output is blank, not display it.
like...
$author = strip_tags(addslashes($_POST["author"]));
if (trim($_POST["author"]) !='') {
//code
}good suggestions, guys.. i've been using ( here lately ) something a bit different..
basically, if you don't care too much about server space, you could add a slash to every character prior to putting it in mysql.. this way mysql wont parse anything no matter how maliceful it is
i've also been considering doing what AHHQ_Man and Gregory mentioned at the same time as well
Here is the function I use...
function dbinsans($text) {
$text = strip_tags ($text, "");
$text = str_replace(chr(10),"",$text);
$text = str_replace(chr(13), "<br>", $text);
$text = str_replace("\"",""",$text);
$text = str_replace("'","'",$text);
$text = addslashes($text);
return($text);
}
Great stuff! Thanks for all your help guys!
Usage of strip_tags:
string strip_tags ( string str [, string allowable_tags])
or see: <!-- m --><a class="postlink" href="http://nz.php.net/manual/en/function.strip-tags.php">http://nz.php.net/manual/en/function.strip-tags.php</a><!-- m -->
Hope that helps
--EDIT--
You also may want to change < and > and other HTML chars to entities (eg, < and >), by using the function htmlentities() (<!-- m --><a class="postlink" href="http://nz.php.net/manual/en/function.htmlentities.php">http://nz.php.net/manual/en/function.htmlentities.php</a><!-- m -->)
Usage of htmlentities:
string htmlentities ( string string [, int quote_style [, string charset]])--EDIT--
You also may want to change < and > and other HTML chars to entities (eg, < and >, by using the function htmlentities()
Usage of htmlentities:
string htmlentities ( string string [, int quote_style [, string charset]])
definitely do that. i used strip_tags for one of my shoutbox, and someone decided it would be funny to put a bunch of 's
one problem with strip_tags however is that it seems to return a blank post if they DID use HTML, so you need to also trim() whenever you output, and if the trimmed output is blank, not display it.
like...
$author = strip_tags(addslashes($_POST["author"]));
if (trim($_POST["author"]) !='') {
//code
}good suggestions, guys.. i've been using ( here lately ) something a bit different..
basically, if you don't care too much about server space, you could add a slash to every character prior to putting it in mysql.. this way mysql wont parse anything no matter how maliceful it is
i've also been considering doing what AHHQ_Man and Gregory mentioned at the same time as well
Here is the function I use...function dbinsans($text) {
$text = strip_tags ($text, "");
$text = str_replace(chr(10),"",$text);
$text = str_replace(chr(13), "<br>", $text);
$text = str_replace("\"",""",$text);
$text = str_replace("'","'",$text);
$text = addslashes($text);
return($text);
}
Great stuff! Thanks for all your help guys!