By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
454,719 Members | 1,466 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 454,719 IT Pros & Developers. It's quick & easy.

Form security for database

P: n/a
Hi,
I don't find anywhere the answer to my question so I try to ask here.
I have in my pages different form fields ("find", "password", "message").
I know that is easy for an hacker to have information about my database
creating an error, or to enter in the secret zone...

So, what kind of contol or what I have to strip/erase from the input to have
a security (or almost)?
Is it a different control for different fields?

Thank you, and sorry for my english mistakes (I'm italian!:) )
Mark
Jul 17 '05 #1
Share this Question
Share on Google+
3 Replies


P: n/a
Here ya go:

// add slashes so that special characters are not interpreted
$message = addslashes($message);

//get rid of ALL html tags
$message = strip_tags($message);

//convert the tag leftovers to non-html
$message = htmlspecialchars($message, ENT_QUOTES);

Be carefull with the order of these functions. Double check on php.net

Greetz,

Barton

On Mon, 27 Oct 2003 11:04:46 +0100, "Mark Renton" <ma**@hotmaille.com>
wrote:
Hi,
I don't find anywhere the answer to my question so I try to ask here.
I have in my pages different form fields ("find", "password", "message").
I know that is easy for an hacker to have information about my database
creating an error, or to enter in the secret zone...

So, what kind of contol or what I have to strip/erase from the input to have
a security (or almost)?
Is it a different control for different fields?

Thank you, and sorry for my english mistakes (I'm italian!:) )
Mark


Jul 17 '05 #2

P: n/a
Good suggestions and here is one more that incorporates it all on one
line and adds a little somethin extra

$message = addslashes(htmlspecialchars(strip_tags(trim(chop($ message))),ENT_QUOTES));

This removes the white space from the begin and end, in addition to
all the other stuff he said.

Barton <bc***@NOSPAMMMhotmail.com> wrote in message news:<bn********************************@4ax.com>. ..
Here ya go:

// add slashes so that special characters are not interpreted
$message = addslashes($message);

//get rid of ALL html tags
$message = strip_tags($message);

//convert the tag leftovers to non-html
$message = htmlspecialchars($message, ENT_QUOTES);

Be carefull with the order of these functions. Double check on php.net

Greetz,

Barton

On Mon, 27 Oct 2003 11:04:46 +0100, "Mark Renton" <ma**@hotmaille.com>
wrote:
Hi,
I don't find anywhere the answer to my question so I try to ask here.
I have in my pages different form fields ("find", "password", "message").
I know that is easy for an hacker to have information about my database
creating an error, or to enter in the secret zone...

So, what kind of contol or what I have to strip/erase from the input to have
a security (or almost)?
Is it a different control for different fields?

Thank you, and sorry for my english mistakes (I'm italian!:) )
Mark

Jul 17 '05 #3

P: n/a
Thank you 2!
A question: is there any risk with this function if someone insert a
"SELECT" or other SQL command inside?
for example: someone say there could be a risk if in the password field you
write "OR a=a".

thks!! :)
Jul 17 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.