On Thu, Jun 25, 2020 at 8:50 AM Ashkar Dev <ashkardev@xxxxxxxxx> wrote: > > Thanks for your replays, > > but could any of you give some codes of validating a form field, for example, getting the first name field text and inserting it to the database > at this line: > > $firstName=$_POST('fname'); > > which functions of PHP I should use here to put $_POST('fname') on to remove tags from it, and prevent other security-related attacks? > > And if I used pg_query( , ) is it be safe if I don't use PDO? how it be safe. > I think w3schools and codeacademy have php classes. If I remember correctly, their examples about interacting databases and running queries show sanitation examples. I myself have used them many times. Google (ok duckduckgo) tells me there are many other sites offering courses, some free and some paid for. > And If anyone needs to learn PHP, which website is good to provide non-copyrighted codes? while PHP manual codes are copyrighted so what's the benefit of reading the manual without using the codes they provide? > Er, reading a manual or tutorial is to learn how to use some language. Their code is there as an example of how to do something, supporting or elaborating on the "lesson" (if you will); apply the *concept* to your needs. If you do not like their terms, find somewhere else with terms you feel comfortable with. > > On Thu, Jun 25, 2020 at 9:51 AM Ashley Sheridan <ash@xxxxxxxxxxxxxxxxxxxx> wrote: >> >> >> >> On June 24, 2020 11:36:15 PM UTC, Kevin Waterson <kevin.waterson@xxxxxxxxx> wrote: >> >The best way to learn, is to start coding, and ask lots of questions. >> >There are plenty of sites on the web which provide shitty code. >> >DO NO COPY AND PASTE. >> >While the urge to simply copy somebody's code, and paste it into your >> >application is inviting, this practice only leads to heartache and >> >tears. >> >You are certainly on the right tract when asking about security. While >> >you >> >can write insecure code in any language, PHP perhaps lowers the bar in >> >this >> >regard. >> >As you question relates to database, let's start there. >> >PHP provides PDO for database operations, and allows variable binding >> >and >> >prepared statements. >> >Prepared statements are great for stopping SQL injection, but this is a >> >last stop. >> >The real question is, Why would you send data to a database query >> >without >> >being sure of the type and length of the data you are sending. >> >Validation: >> >Everything coming from userland (eg: a website) should be regarded as >> >insecure. >> >Sure, you can put some HTML5, or javascript, validations on an email >> >address, but changing the form type from "email" to "text" is a trivial >> >task. >> >To be absolutely sure of the content of input, you must create you own >> >validations. >> >How long can this address be? eg: If the email is being stored in a >> >VARCHAR >> >field, then 255 would be the max length. >> >It must also contain a "@" character. >> >It must end in ".something" >> >These validations must be performed BEFORE you send the email address >> >to >> >the database. >> > >> >I, and many others here, are happy to answer your questions, and it >> >sounds >> >like you are beginning at the right place. >> > >> >Kev >> > >> >On Thu, Jun 25, 2020 at 6:56 AM Ashkar Dev <ashkardev@xxxxxxxxx> wrote: >> > >> >> Hi all, >> >> could anyone give some detail about how to make a PHP web application >> >> secure? >> >> for example validation of form while using a PostgreSQL database, >> >> >> >> by the way, could you explain how users can freely learn PHP while >> >the >> >> codes from the PHP website are copyrighted, are developers be able to >> >use >> >> codes from the PHP website or manual? >> >> >> >> To add to the security question, have a look at the OWasp top 10 (https://owasp.org/www-project-top-ten/ ) and things like the PHP security advent calendar (https://blog.ripstech.com/2018/php-security-advent-calendar/ ) >> Thanks, >> Ash