Hi all, What should i do for secure $_post;
I used to define a var :
I used to define a var :
Code:
$comment=$_POST['comment'];
-
-
Hey tbebest,
I'm not sure I quite understand the question.
There are two methods to do send information between pages from a form: $_GET and $_POST.
GET will put the contents of the form element into the web-browser address bar (ie. www.yoursite.com/search.php?term=Foo).
POST sends the data from the page through the server and is able to be called on the proceeding pages without it being broadcast through the address bar.
You could try using PHPs md5 hashing ability to send the information between pages. Additionally you could also look into SSL certificates, which allow for https:// connections, which are generally secured by at least 128-bit encryption. -
Hi AutumnsDecay,
My Queston is about cross site scripting and SQL injection, so on XSS attacks.
regards N TNX.Comment
-
The best way around SQL injection is to never run an SQL statement without verifying the source of the user.
If the user starts at your index.php page, set a $_SESSION variable called 'start' or something. On each page afterwards, do $session_start so it holds onto the session info.
When you finally go to do your SQL query, run an if statement to make sure they started from where they typically would have, which would be the index.php page.
Something like that is decent.Code:if ((!$_SESSION['start']) || ($_SESSION['start']=="") || ($_SESSION['start']==null)){ echo 'You do not have permission to perform this action'; } else { MYSQL QUERY }
If you're specifically worried about your form elements and how they're broadcast, look into SSL.Comment
-
Always use mysql_real_esca pe_string() when passing any variable to a mysql query. It will escape any characters used by mysql, preventing the user from executing an SQL injection.Comment
-
Hi AutumnsDecay and JKing, your answers is so good;
more efficient answer for me is both,TNX.Comment
Comment