prevent someone from inadvertently or intensionally breaking the system
and compromising security. First some quick background. This is an
Apache/php/mysql project. It is a wish list database where people can
create an account, then a wish list and share it with all their friends
and family so they will know what to get them for their birthday or
Christmas or whatever event. There are many other features that I won't go into here, if you want to know more, you can take a look at the work in progress at http://thewishzone.com:8086
The first thing I do when getting data from a post or a get is run it
through a function that first checks to make sure it isn't any longer
than I am expecting (I will also eventually have java script that does
client side checking too, but a post or get can easily be faked so I
am checking on the server side as well) I then verify that every character in the string is with in the ascii range of a space to the ~ which is basically all the characters on the key board. If either test fails I print an error and stop the script. If the value is supposed to be an integer or float I also check to make sure there aren't any non-numeric characters in the value. Then finally before I put it in the database I use the mysql_real_escape_string function and put single quotes around my values in the sql statements.
Are there many php or mysql configuration considerations for making the site secure? I have already done the obvious with my sql and set up the grant tables with passwords for all users and removed the [EMAIL PROTECTED] user.
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
