Re: Anyone have some basic security tips for PHP-programmers?

[tim () xi co nz]

> 1. This is esentially what magic-quotes does
http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-gpc
> If your server doesn't have this enabled, you can enable
> it with  .htaccess for your webarea only.

> From my point of view, magic_quotes is a bad idea, because
it can't possibly cover every way data can enter your
script, and it's counterproductive when you want to do other
things with that data. Look at the number of php-based apps
that end up displaying \' back to the user instead of '.

I prefer turning magic_quotes off, and when building SQL,
explicitly escaping each included string. It's a little more
work, but you can guarantee your SQL safe. There's no
general way to sanitize strings - if you're inserting them
into a database you want to treat them differently to if
you're logging them or displaying them back or sending them
via xml or whatever.

--
Tim Oliver
tim () e2-media co nz