10-29-2007, 01:06 PM
|
#9 (permalink)
|
|
The Reckoner
Join Date: Sep 2007
Posts: 437
Thanks: 22
|
Hi Jmz, as a general rule, for a secure application you should always filter input and escape output (you'll hear that tip again and again). Basically, that means that if you're expecting a string from a form, ensure the data you get really is a string. If you're outputting data to a database, make sure you escape it first using mysql_escape_string(). Following these two rules will make your application a lot more secure.
So let's say that you are expecting szUsername and szPassword from $_POST, you could filter these using the built in filter functions:
PHP Code:
$aFilterOptions = array
(
'szEmail' => FILTER_SANITIZE_EMAIL,
'szPassword' => FILTER_SANITIZE_STRING
);
$aFiltered = filter_input_array(INPUT_POST, $aFilterOptions);
Then you simply escape the values before using them in your query, such as:
PHP Code:
$szSql = sprint(" SELECT
*
FROM
members
WHERE
username = '%s' AND
password = '%s'",
mysql_escape_string($aFiltered['szUsername']),
mysql_escape_string($aFiltered['szPassword']))
__________________
Any fool can write code that a computer can understand. Good programmers write code that humans can understand.
|
|
|
|