On Mon, Feb 27, 2006 at 12:20:51PM +0100, emil@xxxxxxxxxx wrote: > > Hi, > > What shall one do to avoid people that trys to manipulate my server? > > I mysql_real_escape_string() all input from GET and POST. The mysql_escape_string() will protect you from sql injections, the thing you have to watch out for is if you have the php.ini directive magic_quotes_gpc set to On then you will end up with data in your database like: "I\'m escaped" Which if magic_quotes_gpc is Off you will have in the db: "I'm escaped" The latter is the one you want in the db. To avoid these issues I would tend to avoid any magic_* .ini directives and escape the data when i desire to. If you are building a tool that may be used in any configuration setup, you have to detect in your code what to do if the magic_* directive is on or off. *see the magic directives in: http://php.net/ref.info > > A long time ago I think I used addslashes or something like that too, so people couldn't insert php code in their input. Is that still something I should do, or does mysql_real_escape_string() take care of that too? And is it even possible for a user to execute there own php code if I not output the input via the eval() function? The main difference between addslashes and mysql_real_escape_string() is that addslashes() is designed to protect what php may think is harmful, mysql_real_escape_sting() is designed to protect what the db server thinks is harmful. > > When users input is displayed for others then themself I try to filter out html tags too. Instead of filtering out html tags, your best option is to apply either htmlentities() or htmlspecialchars() to the output from the input by a user. Curt. -- cat .signature: No such file or directory -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
