validate form data to check security attacks

chamal

Hi,

I've heard that remote users can attack the web server computer, if i have made mistakes in my php coding.

I use php to store form submitted data in a mysql database and email them to another user.
Can a remote users execute linux commands through my php web pages, if they are badly written.

So can you advice me on what I should do.

I mean, for what(ex: special characters, words etc.) and how should I check the submitted data for sql poisoning and other attacks(Possibly execution of linux commands). What are the best ways of doing this.

Do I have to check form data for buffer overflow attacks. If so, how should I do it?

I have another question.
I use the php mail function to email form submitted data. Can a remote user use this, to attack the web server, if I do not check and validate the form submitted data.

Thanks a lot,
Chamal.

chat with Node.

rehfeld

yes its possible for yor code to be exploited if its poorly written, especially if you blindly put user input into sql queries.

heres a decent place to start reading.

http://www.php.net/security

you shouldnt have to worry much about the mail() function, as long as the to email address is not determined by user input. meaning, hardcode the to address into the script. dont let the form decide who the email is sent to.