withinweb

magic_quotes_gpc, when on, automatically adds slashes to all GET/POST/COOKIE data so that you don’t need to use addslashes() before using GET/POST/COOKIE data in MySQL queries, etc. (e.g. with magic_quotes_gpc OR addslashes(), I’m becomes I\\’m). Well, magic_quotes_gpc is no convenience and just complicates things!
Since magic_quotes_gpc can be on or off, you don’t know whether to use [...]

[Read more →]

PHP 5.2.0 onwards has the filter_var function which can be used to validate many different inputs.
To validate an email address :
<?php
//Validate an email address in PHP 5.2.0 onwards
$email_address = “me@example.com”;
if (filter_var($email_address, FILTER_VALIDATE_EMAIL)) {
// The email address is valid
} else {
// The email address is not valid
}
?>

[Read more →]

This is another possible way of dealing with quote marks for inserting data into a database :
if (!get_magic_quotes_gpc()) {
$item_name = addslashes($_POST['txtItem_Name']);
}
else
{
$item_name = $_POST['txtItem_Name'];
}
Dealing with quote marks for inserting data into a database
———————————————————–
if (!get_magic_quotes_gpc()) {
$item_name = addslashes($_POST['txtItem_Name']);
}
else
{
$item_name = $_POST['txtItem_Name'];
}

[Read more →]

To help counter SQL injections you need to make sure that entered values use minimum character types as possible.  So you restrict usernames to just a-z and 0-9 characters.
To test for these, use something like :
//——————————————————
/**
* Purpose : Check input for paticular characters
* Only allow a – z, A – Z , 0-9
* returns true [...]

[Read more →]

Database Permissions
Set the permissions on the database username / password as tightly as possible.  If you are displaying data, there is no need for the user to have insert or update permissions into the database.  One solution is to have two usernames / passwords.  One would have select permissions, and would be used only for [...]

[Read more →]