* Thus wrote [EMAIL PROTECTED] ([EMAIL PROTECTED]): > Hi to all, any one can tell me, what is the correct way to write secure > applications in php and how is the best way to remove or prevent the > backtip operator.
You can use escapeshellarg to prevent this... http://php.net/escapeshellarg > > I think what my code is very insecure. > What is the correct way to do this ??? > > $Myusername = isset($HTTP_POST_VARS['username']) ? trim(htmlspecialchars > ($HTTP_POST_VARS['username'])) : ''; > > $Myusername = substr(str_replace("\'", "'", $Myusername), 0, 25); > > > if ($Myusername ==""){ > exit; > } > elseif (eregi(";", $Myusername) ){ > echo "Hacking attempt"; > exit; > } > [...] Insead of using the logic logic 'allow all except this' use 'Allow none except this'. You can get this done in one line: if (!preg_match('/[a-z0-9_-]{6,25}/i', $HTTP_POST_VARS['username'])) { echo "Invalid username"; } This will only allow the characters inside the [] and the string must be a minimum of 6 characters with a max of 25. HTH, Curt -- "I used to think I was indecisive, but now I'm not so sure." -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php