At 2:38 PM +0300 5/19/11, Andre Polykanine wrote:
Oh my... I hate those pdf's :-((
Could someone tell me in some words what do I need to do beside
mysql_real_escape_string() and Html input sanitizing?
Thanks and sorry for the inconvenience)
Hi:
Here is part of what I wrote for my PHP class -- perhaps it will help:
There are two simple rules in handling data:
Rule Number 1 is to "filter input".
What that means specifically is to make certain that the user input
is EXACTLY what you expect. You can filter, scrub, inspect, compare,
or replace whatever comes in with what you expect. You need to be
aware of what can come from a user and be able to deal with that data
safely.
Rule Number 2 is to "escape output".
What that means specifically is to transform any given chunk of data
to a format that is suitable for the output medium.
For example, ANY output headed to the browser should have
htmlentities () preformed on it.
If the data is headed to a database, it should have a
database-specific function called, such as mysql_real_escape_string().
If the data is going to be included within an URL (i.e., GET
parameter), it needs to pass through the urlencode() function.
If the data is headed to XML it should have some kind of XML function
called to wrap it in a CDATA or a pre-defined data format.
If the data is headed out to JavaScript, then you need json (i.e.,
json_encode, json_decode, and json_last_error).
So, you really just have TWO considerations:
Filter input; Escape output
It matters because Evil People do exist, and they WILL find a way to
cause damage to you, and even to others, if you fail to protect your
data and code.
Common hacks include executing SQL to damage databases, or adding
JavaScript to deface web-sites or even adding JavaScript to use YOUR
web-site in an attack upon another website.
Here is a good starting point for some of the details of what to do
and why: http://phpsec.org/
HTH's
tedd
--
-------
http://sperling.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php