[Resolved] Protect website and database

Norman_Graham

If I have a form asking for user input (Send your comments!) and I insert the user input into a MySQL table, how should I protect both my website and my database? I already know about htmlspecialchars () for avoiding evil scripts. Are there any other processing methods I should apply to the users' input in order to protect the database and website? My book only mentions htmlspecialchars () [Wrox Beginning PHP4].

Thank you for your help

Norman

superwormy

www.php.net/mysql_escape_string

Might be nice also to check whether or not the input is what you are expecting. If you have a checkbox ( 1 for YES, 0 for NO ) check to see if the POST'd variable is_int() or is_numeric() cause I don't think POST things come over as INTs

Norman_Graham

Excellent, thank you very much. I've just been reading about 'SQL injection' and realised I would have to do something about it before launching my first website.

I've already included a certain amount of validation on the form - it runs htmlspecialchars in all entries, it checks the e-mail address to see if it is correctly formed (but not if it actually exists, which would be beyond my skills, I believe) and it checks to see if the fields are empty (name, e-mail, location [drop-down list], comment). Other than that, users can enter any old nonsense into the form. As long as I can prevent dangerous code from getting in, I'm happy to just delete garbage on a regular basis.

Norman