Yeah so I've been doing a bit of php here. Right now I'm working on a simple SQL database where you can add yourself to a userlist and everyone can see you. I want to make the thing searchable and have tons of options on how it's displayed etc etc. I also need security login scripts etc. so someone could use this for say a clan member list and it would work fine. I don't know if somebody would want to actually use my script, but I at least want that degree of usability.
Right now I've been thinking a lot about security concerns because I've heard a lot of things about that. My friend made a similar script (though it's not as extensive as what I have you can add delete and edit a record but there's not a lot of options, uses XML instead of SQL and no login/user privlages etc.) and I noticed a strange thing about it. In trying to screw things up I noticed if I put my name with parenthesis in like "TWD" when it came out on page you'd see the escape backslash in front of them so you get \"TWD\" When I make my script I don't want to have this happen, and I know it's an enviromental variable you can change that adds that. The question is what if it doesn't add the \ in? Then is it possible for people to do stuff like make their name "; malicious scripts; etc; to screw things up?
In short the question is this: what are all the things I need to look out for as far as what people can input into the fields, how do I compensate?
I have other questions too relating to security and people spamming/abusing your script but let's start with this one.
