Haydar Tuna wrote: > 1) If you protect your site from SQL Injection, you must replace all quote > and blank character in your form data. (with string functions) A better approach is data inspection. For example, if you know a field should only ever contain letters, you can use ctype_alpha() to confirm that. Since alpha characters would never create a script injection, you don't even need to do anything further with it. If you need to allow dangerous characters, use an appropriate escaping algorithm. I work with MySQL all the time, so I use the real_escape_string() method of the mysqli object when necessary. The conceptual key to writing secure applications is understanding that ALL input is tainted (i.e. potentially dangerous). This includes the results of database queries. Your PHP application has no way to know the data coming out of the database is positively safe. Using inspection and escaping as appropriate, you transform tainted data into safe data. I will often do so this way: $mysql = array(); if (isset($_POST['firstName']) && ctype_alpha($_POST['firstName'])) $mysql['firstName'] = $_POST['firstName']; if (isset($_POST['comments'])) // $database holds a mysqli object $mysql['comments'] = $database->real_escape_string($_POST['comments']); >From this point onward in my application, all operations work with the values in the $mysql array, because I have either confirmed it as safe or escaped it appropriately. > 3) if comparing passwords are true, then you must use session variables for > username You don't have to, but it's generally convenient to do so. You should be aware of session hijacking and place safeguards in the session data, such as checking IP and/or user agent. > 4) if user forget his or her password, you can send email to the user when > the user answer password protected question. Kinda impossible if the password is hashed, isn't it? What a strange thought, though. I guess all those sites with password reminder functions have the password stored in plain text somewhere. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php