For input sanitizing, and this will be helpful to anyone who writes code, listen to dan kaminsky's keynote at "The Next Hope". He did a very good job at explaining the landscape of web programming and the essence of SQL injection and XSS, as well as proposed pretty neat ways to fix these.
If you are writing the app from scratch, to prevent SQL injection, use Mysqli + prepared statements... or implement the base64 hack, or i am working on a library to simplify and secure mysql in php for some of my work, though it's got a few implementation quirks it does fail by default, it does not allow you to insecurely interpolate, and it does use prepared statements for everything, i am sharing it with anyone who wants to look at it... Anyways, here's a direct link: http://c2047862.cdn.cloudfiles.rackspacecloud.com/Friday%20Keynote%20-%20Dan%20Kaminsky.mp3 Enjoy, Alex -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Wed, May 18, 2011 at 9:18 PM, Jason Pruim <li...@pruimphotography.com>wrote: > Hey Everyone, > > Probably a simple question but I wanted to make sure I was right before I > got to far ahead of my self.... > > I have a form that I am working on and this form will be emailed to the > recipient for processing (Not stored in a database). > > When I store in a database, I simply run all the data through > mysql_real_escape_string() and it's all good... Without the database, is it > just as easy as addslashes($var)? or is there more that needs to be done? > > In the end, the info will be echoed back out to the user to be viewed but > not edited and emailed to someone to add the registration collect money, etc > etc. > > Am I on the right track or do I need to rethink my whole process? :) > > Thanks Everyone! > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >