Hey guys, I'm doing a few things here that I needed opinions about.. I'm not familiar with the common and most secure programming practices involving PHP. I've read some content here on the forums and learned a great deal, however could use some suggestions.
I have a yahoo sql database and i'm using an html file that allows users to enter text information. I have the information validated, and if valid, a php script (let's say the file is x.php) is invoked. I have the db information used directly in the connect statement(no variables). This is in plaintext, and I'm assuming this isn't the best idea. Should the name/password be stored as a textfile on my server(the same server where the php script is running)? If so, I'm assuming just place this in a password protected directory on the shell? What is the common security practice for connecting to databases in PHP?
Next, i'm concerned about users entering data into the textboxes that might contain harmful content. Should the php function be used to change html char codes ? (I'm sorry, I forgot the name of that function at the moment, but I remember it doing something to strip html so you couldn't add malicious things such as links to other scripts, etc). Could someone elaborate a bit more on this?
Thanks a lot everyone!
