Sanitizing Your Data

If you do any PHP programming that includes writing data to or reading data from a database, then it’s important to keep an eye on how you are entering data into your database; you don’t know what your users intentions are, and while most of them just want to use your site as intended, some users could have more malicious intentions. You shouldn’t enter data directly as the user enters it, for a couple of reasons.

1) SQL injection attacks

One of the more common types of attack. If the user enters SQL code into a field, that code will be run. The easiest way to guard against this is to use the function ‘mysql_real_escape_string’; this will escape any special characters used in SQLqueries ( for example, single quotes), this will prevent the user from adding in additional SQL statements that will be run (in the example above,it will be treated as one big text string that will be entered into the name column of the database, rather than a separate SQL command.

2) Cross-site scripting attack

A different type of attack, but just as dangerous. This assumes that that the user will be entering information that will be later displayed on a webpage. If the user enters in some HTML code (or other code that will run in a browser, like javascript) into a field, then when you later go to display what the user entered, that code will run. One way to avoid this is to use the function ‘strip_tags’ on the data the user entered, this will strip out any HTML tags entered by the user (like <script> tags around javascript code.

These are just a couple of basic things that you can do to protect your website; there is a lot more information online, starting with PHP’s own website; a quick google search will give you a number of resources to make your site even more secure.