PHP Security - Part One

Clean All User Input

Anytime you use a $_POST, $_GET, or are receiving any information that the user can modify, you must be sure that you properly escape it, and clean it in some cases.

Preventing SQL Injection

I'm going to use a login form as an example. To query our database and check to see if they logged in correctly, you might use a query like...

select `username`, `password` from `users` where `username` = '$var' and `pass` = '$var2';

If someone were to type in ' or username like'%admin%'; -- into the login form, they would be logged in with an account that has the word admin in it. To fix this problem, after connecting to the MySQL server, you can use...

mysql_real_escape_string($var);

Using this will escape all characters that need to be escaped to prevent tampering with the MySQL query. Another problem for MySQL is % and _, which can be escaped using...

addslashes($var);

HTML filtering

Sometimes you may want to clean certain html entities in strings. To do this, you can use...

$var = “<b>bold</b>”;

htmlentities($var);

This would output: & l t ; b & g t ; bold & l t ; / b & g t ;

To change it back to a usable form, you can use...

html_entity_decode($var);

To strip the HTML tags from a string, and specify which strings you want to allow, you can use...

$var = “<a><b>link</a></b>”;

strip_tags($var, '<a><b>');

The second argument is not needed, passing just the variable you want to clean will strip all tags from the string. This example would only allow b and a tags through. However, it is important to note that strip_tags() is not failsafe; that is, malformed tags can remove more or less than you'd ideally like to.

To make sure that html does not render if it gets shown, you can use...

htmlspecialchars($var);

If you have a string that is escaped from using mysql_real_escape_string() or addslashes(), you can use stripslashes($var) to remove all of the slashes.

Putting it all together

And to put this all together into a function, you could use something like...

function CleanStr($var) {

stripslashes($var);

htmlentities($var);

strip_tags($var);

return $var;

}

Thanks for reading, in the next part we will be looking further into database security, webserver security, and more. For more security tips, check out PHP Security: Part Two, or for even better validation, 8 Practical PHP Regular Expressions.





The search engine marketing is a popular methodology for the marketing of any website nowadays. Some alike another way of marketing is online advertising through public forums and blogs. Some of the VOIP related websites like vonage offers internet phones systems, which enable the users to connect to phones using broadband connection. The cheap web hosting is a facility that can be availed by small businesses and is specially designed for those who work at home. One of the methods of earning online is through adwords affiliate. For high sales it is considered a must to have search advertising online, adword is one of the type of such advertising method.