Hey!

I'm not good with security (lol), what do I need to do to secure my forums that put data into sql databases?

To stop sql injections, html etc?

Can somebody find me a tut or write the code with where it goes? I've used google, no use. I had it before, but the link is dead. :(

Hey!

I'm not good with security (lol), what do I need to do to secure my forums that put data into sql databases?

To stop sql injections, html etc?

Can somebody find me a tut or write the code with where it goes? I've used google, no use. I had it before, but the link is dead. :(

Use a cleaning function :)



<?
function clean($str)
{
$cl = strip_tags(addslashes(stripslashes(htmlspecialchar s($str))));
return $cl;
}


Then use the cleaning string when declaring vars.

eg

$v1 = clean($_GET[v1]);

Thanks! :)

mysql_real_escape_string() is the best thing to help you with this, but make sure you're connected to a database first or it won't work.
I.e:

include something.php;
$var = $_POST['var'];
$newvar = mysql_real_escape_string($var);

Dont mean to sound stupid, but what does mysql_real_escape_string do anyways ?

Like does it filter out commands or something?

http://us.php.net/mysql_real_escape_string

I'd suggest using sprintf as well:



$query = sprintf("SELECT * FROM users WHERE username='%s'", mysql_real_escape_string($_POST['username']);
$query = mysql_query($query);


That tells PHP beforehand what the string should look like, thus preventing injections somewhat.

Also, don't throw strip_tags, htmlspecialchars and mysql_real_escape_string into the one clean function. Make two; one for sanitizing and one for returning. Sanitizing will apply to all data going into the database (just need mysql_real_escape_string), and returning for data being echoed back to the user (htmlspecialchars imo, no need to strip the tags, just display everything back). You'll find yourself using a load of server resources if you echo everything back using mysql_real_escape_string.

I'd suggest using sprintf as well:



$query = sprintf("SELECT * FROM users WHERE username='%s'", mysql_real_escape_string($_POST['username']);
$query = mysql_query($query);
That tells PHP beforehand what the string should look like, thus preventing injections somewhat.

Also, don't throw strip_tags, htmlspecialchars and mysql_real_escape_string into the one clean function. Make two; one for sanitizing and one for returning. Sanitizing will apply to all data going into the database (just need mysql_real_escape_string), and returning for data being echoed back to the user (htmlspecialchars imo, no need to strip the tags, just display everything back). You'll find yourself using a load of server resources if you echo everything back using mysql_real_escape_string.

OK, so for everything put the mysql_real_escape_string, for things like signature etc put the htmlspecialchars (so no redirections etc).

OK, so for everything put the mysql_real_escape_string, for things like signature etc put the htmlspecialchars (so no redirections etc).

Pretty much. Thing is, you mightn't want to remove HTML from certain things, like news posts and stuff. That's why you don't want it all in the same function ;)

Pretty much. Thing is, you mightn't want to remove HTML from certain things, like news posts and stuff. That's why you don't want it all in the same function ;)
You're 2 steps ahead of me. :P

I can't edit but I have a question.

Would I be best to use this if I didn't want html, sql injections, javascript etc? I'll be making BBcode for html, so no redirects etc...



<?
function clean($str)
{
$cl = strip_tags(addslashes(stripslashes(htmlspecialchar s($str))));
return $cl;
?>

Don't bother with addslashes, stripslashes will work by itself fine. But apart from that, looks good.

A relvent comic:

http://imgs.xkcd.com/comics/exploits_of_a_mom.png

ROFL. @ above.

A relvent comic:

http://imgs.xkcd.com/comics/exploits_of_a_mom.png
Aha, thanks for posting that. +rep :D

Hahah, very good!

I saw this during SOSE in the computer lab. I started laughing, and everyone looked at me weirdly :P