Professional Documents
Culture Documents
Before you read and criticize further, there is no such thing as perfect
security. Every countermeasure has its flaws, the only way you can do it
to reduce the chances of successful attacks against your website by using
simple techniques such as input validation in PHP programming language.
So how you will start securing your web application? This tutorial
emphasis on POST method of form submission. The main objective is to
prevent cross side scripting attacks (XSS) and MySQL injection attacks.
There are a LOT of solutions out there on the Internet by just Googling
it out, but most of them can be complex to understand. So how can you
make it as simple as possible and compromising the strength of the
security level?
To simplify the illustration, see a sample secure PHP web form below:
<!--
google_ad_client = "pub-8259984129695446";
/* 160x90, created 4/10/11 */
google_ad_slot = "2189053493";
google_ad_width = 160;
google_ad_height = 90;
//-->
<html>
<head>
Best practices when using POST in PHP and in MySQL
</head>
<body>
<form action="<?php echo $_SERVER['PHP_SELF']; ?" method="post">
This tool will test sanitizing POST in PHP. Input XSS or MySQL injection
codes and you will see the output below. View the source code also.
<textarea name="postinput" rows="10" cols="50"></textarea>
<?php
//check if the form has been submitted
if (isset($_POST['postinput'])){
include 'connect.php';
//This is the sanitizing function
function sanitize($data){
$data=trim($data);
$data=htmlspecialchars($data);
$data = mysql_real_escape_string($data);
return $data;
}
//Now to use the sanitizing function, simple use it to sanitize the POST.
$clean= sanitize($_POST['postinput']);
echo $clean;
}
//Now do any database related queries here now that everything is CLEAN.
?>
</body>
</html>