On Thu, 2009-05-21 at 19:17 +0530, Sumit Sharma wrote: > One more thing, should I use @ for security purpose or not so that the use > can reply me with the errors so that I can troubleshoot the problem more > effectively. > > > Sumit > > ---------- Forwarded message ---------- > From: Ashley Sheridan <a...@ashleysheridan.co.uk> > Date: Thu, May 21, 2009 at 6:36 PM > Subject: Re: [PHP] SECURITY PRECAUTION BEFORE SUBMITTING DATA IN DATABASE > To: Sumit Sharma <sumitp...@gmail.com> > Cc: php-general@lists.php.net > > > On Thu, 2009-05-21 at 18:22 +0530, Sumit Sharma wrote: > > Hi, > > > > I am designing a php website for my client which interact with database. > > This is my first project for any client (I hope he is not reading this > mail > > ;-) ). I am a bit more concerned with database security. Can somebody > shed > > some light on the security measurements, precautions, and functions > related > > to database security in general to make sure that the data is safely > stored > > updated and retried from database. I have already used htmlentities(), > > strip_tags(), addhashes(), and some regular expressions to check security. > > Looking for help beyond this. > > > > > > Thanks in advance... > > Sumit > > I'd advise using something like mysql_real_escape_string() (assuming you > are using a MySQL database that is) on each variable of data before you > insert it into the database. You could go further and validate specific > data, so check that a field which you expect a number only contains a > number, etc. > > > Ash > www.ashleysheridan.co.uk
I'd avoid using @ in favour of turning the errors off in your php.ini or .htaccess, as there's no chance of you missing a statement here or there. It's generally accepted practice to have errors and warnings turned off on a live server, and to only use them on development servers. Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
