Hi,

What shall one do to avoid people that trys to manipulate my server?

I mysql_real_escape_string() all input from GET and POST.

A long time ago I think I used addslashes or something like that too, so people couldn't insert php code in their input. Is that still something I should do, or does mysql_real_escape_string() take care of that too? And is it even possible for a user to execute there own php code if I not output the input via the eval() function?

When users input is displayed for others then themself I try to filter out html tags too.

Anything else I should think of?

Sorry if this has been asked a million times before. Thanks for your time

/Regards Emil


Emil:

I use the following as an include on all my form and cookie processing:

function stripFormSlashes($arr)
{
if (!is_array($arr))
{
return stripslashes($arr);
}
else
{
return array_map('stripFormSlashes', $arr);
}
}

if (get_magic_quotes_gpc())
{
$_GET  = stripFormSlashes($_GET);
$_POST = stripFormSlashes($_POST);
}

If anyone see's a reason why I shouldn't, please clue me.

tedd
--
--------------------------------------------------------------------------------
http://sperling.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to