Hi,
What shall one do to avoid people that trys to manipulate my server?
I mysql_real_escape_string() all input from GET and POST.
A long time ago I think I used addslashes or something like that
too, so people couldn't insert php code in their input. Is that
still something I should do, or does mysql_real_escape_string() take
care of that too? And is it even possible for a user to execute
there own php code if I not output the input via the eval() function?
When users input is displayed for others then themself I try to
filter out html tags too.
Anything else I should think of?
Sorry if this has been asked a million times before. Thanks for your time
/Regards Emil
Emil:
I use the following as an include on all my form and cookie processing:
function stripFormSlashes($arr)
{
if (!is_array($arr))
{
return stripslashes($arr);
}
else
{
return array_map('stripFormSlashes', $arr);
}
}
if (get_magic_quotes_gpc())
{
$_GET = stripFormSlashes($_GET);
$_POST = stripFormSlashes($_POST);
}
If anyone see's a reason why I shouldn't, please clue me.
tedd
--
--------------------------------------------------------------------------------
http://sperling.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
