Professional Web Applications Themes

Form security for database - PHP Development

Hi, I don't find anywhere the answer to my question so I try to ask here. I have in my pages different form fields ("find", "password", "message"). I know that is easy for an hacker to have information about my database creating an error, or to enter in the secret zone... So, what kind of contol or what I have to strip/erase from the input to have a security (or almost)? Is it a different control for different fields? Thank you, and sorry for my english mistakes (I'm italian!:) ) Mark...

  1. #1

    Default Form security for database

    Hi,
    I don't find anywhere the answer to my question so I try to ask here.
    I have in my pages different form fields ("find", "password", "message").
    I know that is easy for an hacker to have information about my database
    creating an error, or to enter in the secret zone...

    So, what kind of contol or what I have to strip/erase from the input to have
    a security (or almost)?
    Is it a different control for different fields?

    Thank you, and sorry for my english mistakes (I'm italian!:) )
    Mark


    Mark Renton Guest

  2. #2

    Default Form security for database

    Hi,
    I don't find anywhere the answer to my question so I try to ask here.
    I have in my pages different form fields ("find", "password", "message").
    I know that is easy for an hacker to have information about my database
    creating an error, or to enter in the secret zone...

    So, what kind of contol or what I have to strip/erase from the input to have
    a security (or almost)?
    Is it a different control for different fields?

    Thank you, and sorry for my english mistakes (I'm italian!:) )
    Mark


    Mark Renton Guest

  3. #3

    Default Re: Form security for database

    Here ya go:

    // add slashes so that special characters are not interpreted
    $message = addslashes($message);

    //get rid of ALL html tags
    $message = strip_tags($message);

    //convert the tag leftovers to non-html
    $message = htmlspecialchars($message, ENT_QUOTES);

    Be carefull with the order of these functions. Double check on php.net

    Greetz,

    Barton

    On Mon, 27 Oct 2003 11:04:46 +0100, "Mark Renton" <markhotmaille.com>
    wrote:
    >Hi,
    >I don't find anywhere the answer to my question so I try to ask here.
    >I have in my pages different form fields ("find", "password", "message").
    >I know that is easy for an hacker to have information about my database
    >creating an error, or to enter in the secret zone...
    >
    >So, what kind of contol or what I have to strip/erase from the input to have
    >a security (or almost)?
    >Is it a different control for different fields?
    >
    >Thank you, and sorry for my english mistakes (I'm italian!:) )
    > Mark
    >
    Barton Guest

  4. #4

    Default Re: Form security for database

    Here ya go:

    // add slashes so that special characters are not interpreted
    $message = addslashes($message);

    //get rid of ALL html tags
    $message = strip_tags($message);

    //convert the tag leftovers to non-html
    $message = htmlspecialchars($message, ENT_QUOTES);

    Be carefull with the order of these functions. Double check on php.net

    Greetz,

    Barton

    On Mon, 27 Oct 2003 11:04:46 +0100, "Mark Renton" <markhotmaille.com>
    wrote:
    >Hi,
    >I don't find anywhere the answer to my question so I try to ask here.
    >I have in my pages different form fields ("find", "password", "message").
    >I know that is easy for an hacker to have information about my database
    >creating an error, or to enter in the secret zone...
    >
    >So, what kind of contol or what I have to strip/erase from the input to have
    >a security (or almost)?
    >Is it a different control for different fields?
    >
    >Thank you, and sorry for my english mistakes (I'm italian!:) )
    > Mark
    >
    Barton Guest

  5. #5

    Default Re: Form security for database

    Good suggestions and here is one more that incorporates it all on one
    line and adds a little somethin extra

    $message = addslashes(htmlspecialchars(strip_tags(trim(chop($ message))),ENT_QUOTES));

    This removes the white space from the begin and end, in addition to
    all the other stuff he said.

    Barton <bc173NOSPAMMMhotmail.com> wrote in message news:<bnsppv83m2ejirb14ack8vhef0ld0g8it44ax.com>. ..
    > Here ya go:
    >
    > // add slashes so that special characters are not interpreted
    > $message = addslashes($message);
    >
    > //get rid of ALL html tags
    > $message = strip_tags($message);
    >
    > //convert the tag leftovers to non-html
    > $message = htmlspecialchars($message, ENT_QUOTES);
    >
    > Be carefull with the order of these functions. Double check on php.net
    >
    > Greetz,
    >
    > Barton
    >
    > On Mon, 27 Oct 2003 11:04:46 +0100, "Mark Renton" <markhotmaille.com>
    > wrote:
    >
    > >Hi,
    > >I don't find anywhere the answer to my question so I try to ask here.
    > >I have in my pages different form fields ("find", "password", "message").
    > >I know that is easy for an hacker to have information about my database
    > >creating an error, or to enter in the secret zone...
    > >
    > >So, what kind of contol or what I have to strip/erase from the input to have
    > >a security (or almost)?
    > >Is it a different control for different fields?
    > >
    > >Thank you, and sorry for my english mistakes (I'm italian!:) )
    > > Mark
    > >
    Steve Guest

  6. #6

    Default Re: Form security for database

    Good suggestions and here is one more that incorporates it all on one
    line and adds a little somethin extra

    $message = addslashes(htmlspecialchars(strip_tags(trim(chop($ message))),ENT_QUOTES));

    This removes the white space from the begin and end, in addition to
    all the other stuff he said.

    Barton <bc173NOSPAMMMhotmail.com> wrote in message news:<bnsppv83m2ejirb14ack8vhef0ld0g8it44ax.com>. ..
    > Here ya go:
    >
    > // add slashes so that special characters are not interpreted
    > $message = addslashes($message);
    >
    > //get rid of ALL html tags
    > $message = strip_tags($message);
    >
    > //convert the tag leftovers to non-html
    > $message = htmlspecialchars($message, ENT_QUOTES);
    >
    > Be carefull with the order of these functions. Double check on php.net
    >
    > Greetz,
    >
    > Barton
    >
    > On Mon, 27 Oct 2003 11:04:46 +0100, "Mark Renton" <markhotmaille.com>
    > wrote:
    >
    > >Hi,
    > >I don't find anywhere the answer to my question so I try to ask here.
    > >I have in my pages different form fields ("find", "password", "message").
    > >I know that is easy for an hacker to have information about my database
    > >creating an error, or to enter in the secret zone...
    > >
    > >So, what kind of contol or what I have to strip/erase from the input to have
    > >a security (or almost)?
    > >Is it a different control for different fields?
    > >
    > >Thank you, and sorry for my english mistakes (I'm italian!:) )
    > > Mark
    > >
    Steve Guest

  7. #7

    Default Re: Form security for database

    Thank you 2!
    A question: is there any risk with this function if someone insert a
    "SELECT" or other SQL command inside?
    for example: someone say there could be a risk if in the password field you
    write "OR a=a".

    thks!! :)


    Mark Renton Guest

  8. #8

    Default Re: Form security for database

    Thank you 2!
    A question: is there any risk with this function if someone insert a
    "SELECT" or other SQL command inside?
    for example: someone say there could be a risk if in the password field you
    write "OR a=a".

    thks!! :)


    Mark Renton Guest

Similar Threads

  1. Web form security - REreplaceNoCase or is there something better?
    By Franklin Cross in forum Coldfusion - Getting Started
    Replies: 34
    Last Post: October 28th, 09:00 PM
  2. Database security
    By Steve in forum Coldfusion Database Access
    Replies: 18
    Last Post: September 20th, 01:13 AM
  3. Web form w/ Access DB Security
    By wwcoop in forum ASP.NET Security
    Replies: 5
    Last Post: March 18th, 02:31 PM
  4. Database Security Issues
    By Jonathan Lamothe in forum PHP Development
    Replies: 14
    Last Post: December 1st, 12:26 AM
  5. Database security concerns
    By FrankM in forum ASP Database
    Replies: 4
    Last Post: August 7th, 01:37 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139