--- Jeremy Russell <[EMAIL PROTECTED]> wrote: > I was just sitting here thinking how to secure my php code and > thought I would run it by the pros. I don't know what the standard > practice is to secure against sql injection and malformed information > passed from forms. This probably has been done several times I just > would like to know if I should do it this way or if there is a better > way. > > What I though to do is create a function that simply went through a > variable and removed the quotes. Something that could be used when > pulling the variables from the form right of the bat. i.e. > > $form_var = secure($_POST['var'];
Watch that closing paren. :-) I am aware of a project that I believe attempts to do what you are wanting: http://linux.duke.edu/projects/mini/htmlfilter/ Basically, it tries to help you out by eliminating some common attacks. While this is certainly better than nothing, it shouldn't be used as an excuse to not filter your data. This filter uses a blacklist approach, where bad stuff is filtered. You should add another layer of data filtering that follows a whitelist approach, where you only allow good stuff. Doing otherwise makes your application as secure as a Windows workstation with a virus scanner - you might be protected against known attacks, but as soon as someone comes up with something new, your defenses are irrelevant. Hope that helps. Chris ===== My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
