--- Mark-Walter@xxxxxxxxxxx wrote: > I read now quite a lot of articles about SQL-Injection, > XSS, and session hijacking in a hopefully appropriate way. > > As I understand the function addslashes(), quote_meta(), > and mysql_real_escape_string() are to avoid SQL Injection The database-specific escaping functions are best. The addslashes() function should be considered a last resort if your database of choice has no escaping function particular to it. > e.g. in order to use page_sliding with entered POST data > over forms with $_REQUEST parameters I highly recommend not using $_REQUEST. Use $_GET and $_POST instead. > strip_tags(), htmlentities() and utf8_decode() is useful > to have a clean output within the browser by not having > arbitrary code within. Yes, but the impotrant thing about all of these functions that you have mentioned is knowing when, how, and why to use them. > For a session authentication PEAR::Auth is used. I need to review this sometime. > I just wanted to ask if there's more to take care of. There is a lot more. I highlight some of the things I think are of principal concern for PHP developers in something I call the PHP Security Workbook: http://shiflett.org/php-security.pdf That doesn't cover everything, of course, but it covers those things I have chosen as most important when I only have three hours to talk about security concerns. :-) Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly HTTP Developer's Handbook - Sams Coming January 2005 http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
