Web Analytics Made Easy -
StatCounter securing form values - CodingForum


No announcement yet.

securing form values

  • Filter
  • Time
  • Show
Clear All
new posts

  • securing form values

    I'm looking for ways to protect my site against possible hackers.

    I've got a form with some textfields and textareas, is it enough to:"

    - mysql_real_escape_string() every post value before entering it into a db
    - htmlentities() before outputting it

    Is it necessary to use stripslashes as well? Cause that would alter entered slashes from the user.

  • #2
    Validating user inputs on the server is really a "must do".

    Before processing any user inputs, make sure they contain only valid characters and nothing else. Then pass the validated input to the sql query via mysql_real_escape_string. There is no need for stripslashes in this case


    • #3
      Thanks, can you tell me what kind of things I should validate on, I've got a textarea where people can fill in lots of text. I dunno what hackers would use to hack it.


      • #4
        This is a popular page showing how hackers can use sql injection to corrupt or at least get data from an unprotected database.

        But validating data is not only about helping ward off attacks. It's also about maintaining the integrity of the data in your database. For example, if the data in a database table column should only contain letters then you should validate that user input and reject any user input for that column that contains characters other that letters.

        Whatever you do, don't fall into the trap of validating user inputs only on the client side using javascript because it can very easily be bypassed by switching off javascript in the browser.
        Last edited by webdev1958; Aug 22, 2011, 08:18 AM.