if you really want to get to the real low level details of an app... unless you're dealing with an app that's seriously crunching, and extremely sensitive to returning data to the user's browser in a timely manner, you should write all replies back to a db/tbl... this would allow you as the developer to have a complete trek of the actions/paths (to an extent) for any potential debugging issue. -----Original Message----- From: Ashley Sheridan [mailto:ash@xxxxxxxxxxxxxxxxxxxx] Sent: Thursday, May 21, 2009 7:00 AM To: Sumit Sharma Cc: php-general@xxxxxxxxxxxxx Subject: Re: Fwd: SECURITY PRECAUTION BEFORE SUBMITTING DATA INDATABASE On Thu, 2009-05-21 at 19:17 +0530, Sumit Sharma wrote: > One more thing, should I use @ for security purpose or not so that the use > can reply me with the errors so that I can troubleshoot the problem more > effectively. > > > Sumit > > ---------- Forwarded message ---------- > From: Ashley Sheridan <ash@xxxxxxxxxxxxxxxxxxxx> > Date: Thu, May 21, 2009 at 6:36 PM > Subject: Re: SECURITY PRECAUTION BEFORE SUBMITTING DATA IN DATABASE > To: Sumit Sharma <sumitphp5@xxxxxxxxx> > Cc: php-general@xxxxxxxxxxxxx > > > On Thu, 2009-05-21 at 18:22 +0530, Sumit Sharma wrote: > > Hi, > > > > I am designing a php website for my client which interact with database. > > This is my first project for any client (I hope he is not reading this > mail > > ;-) ). I am a bit more concerned with database security. Can somebody > shed > > some light on the security measurements, precautions, and functions > related > > to database security in general to make sure that the data is safely > stored > > updated and retried from database. I have already used htmlentities(), > > strip_tags(), addhashes(), and some regular expressions to check security. > > Looking for help beyond this. > > > > > > Thanks in advance... > > Sumit > > I'd advise using something like mysql_real_escape_string() (assuming you > are using a MySQL database that is) on each variable of data before you > insert it into the database. You could go further and validate specific > data, so check that a field which you expect a number only contains a > number, etc. > > > Ash > www.ashleysheridan.co.uk I'd avoid using @ in favour of turning the errors off in your php.ini or .htaccess, as there's no chance of you missing a statement here or there. It's generally accepted practice to have errors and warnings turned off on a live server, and to only use them on development servers. Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
