| Re: PS Re: GUI designer in html [message #182453 is a reply to message #182439] |
Mon, 05 August 2013 00:59   |
Norman Peelman
Messages: 126
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 08/04/2013 01:09 PM, J.O. Aho wrote:
> On 04/08/13 18:47, Twayne wrote:
>> On 2013-08-04 2:32 AM, Lightee wrote:
>>
>> I feel it's necessary to let you know that HTML forms are notoriously
>> famous for being hacked, cracked and used by miscreants for spamming
>> using your forms.
>
> It's not the HTML forms, but the scripts which are to handle the input
> which do not validate the content properly, no HTML WYSIWYG will make
> the script to validate better, no matter how pretty the form looks like.
>
>
>> The best way to alleviate those exposures is to learn PHP coding, IMO.
>> You may write your first page in HTML, and then use a second PHP page to
>> do all the testing of input data on the server-side where no one can see
>> it working nor can they easily get past a rotund random code and
>> sanitization and validation codes.
>
> Rule one, always validate user input, no matter if it's always your
> mother who does the input, one day she may just try to see what happens
> if she enters "'; drop database youdatabase; #" as input and as you
> never have a backup of the database, you lost everything.
>
>
That's only if you go out of your way to enable multiple statements
by using 'mysqli_multi_query()', which doesn't support prepared
statements. By default mysqli_query() and mysqli_real_query() do not
allow multiple queries separated by semi-colons.
http://us2.php.net/manual/en/mysqli.quickstart.multiple-statement.php
--
Norman
Registered Linux user #461062
-Have you been to www.php.net yet?-
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]