05-16-2010, 09:46 AM
(05-16-2010, 02:33 AM)BHensley Wrote: I can respect your decision to keep this tutorial short but ignoring basic security protocols is not the way to teach people. You never, under any circumstances, insert raw form-fed data into a database. Instead you should be sanitizing all form data before it makes it to the database.
There are a wide variety of options when it comes to sanitizing data. And it'll often times depend on the application at hand; that is, whether you just settle for escaping quotes or go with a more sturdy character white list.
For the sake of simplicity look into the mysql_real_escape_string function. It's the most basic way to prevent SQL injections and limit XSS vulnerability. And like I said: it's simple. Simple enough to be used in this tutorial.
The tutorial was kind of a quickie. Anyway, I read the codes again and I'm pretty sure I added mysql_real_escape_string where it should be.
Thanks for the advice.