| Re: PS Re: GUI designer in html [message #182449 is a reply to message #182439] |
Sun, 04 August 2013 21:23   |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 04/08/13 18:09, J.O. Aho wrote:
> On 04/08/13 18:47, Twayne wrote:
>> On 2013-08-04 2:32 AM, Lightee wrote:
>>
>> I feel it's necessary to let you know that HTML forms are notoriously
>> famous for being hacked, cracked and used by miscreants for spamming
>> using your forms.
>
> It's not the HTML forms, but the scripts which are to handle the input
> which do not validate the content properly, no HTML WYSIWYG will make
> the script to validate better, no matter how pretty the form looks like.
>
>
>> The best way to alleviate those exposures is to learn PHP coding, IMO.
>> You may write your first page in HTML, and then use a second PHP page to
>> do all the testing of input data on the server-side where no one can see
>> it working nor can they easily get past a rotund random code and
>> sanitization and validation codes.
>
> Rule one, always validate user input, no matter if it's always your
> mother who does the input, one day she may just try to see what
> happens if she enters "'; drop database youdatabase; #" as input and
> as you never have a backup of the database, you lost everything.
>
>
well if you use addslashes or convert that string to a hexadecimal, it
will end up like that in the database.
Probably converting to hex is the simplest conceptually.
function sanitize_for_sql($user_garbage)
{
return ("0x".hex($user_garbage));
}
Then
mysqli_query($link, "update mytable set mystring =
".sanitize_for_sql($user_garbage)." where id = "int($id));
should be safe
>> Also IMO, avoid Captcha code at all costs! Duplicate it yourself, or
>> parts of it, like the protection, but don't use their idiotic, hard to
>> read code images; they keep out as many people as they do robots.
>> Captcha code however is a pretty decent learning code; just don't use
>> it<GRIN>.
>
> I would advice to never write your own captcha or copy those average
> Aarav (kind of Indian Joe), as they usually do include a lot of issues
> with security and validation, if using captcha use something like
> reCaptcha from Google.
>
>
--
Ineptocracy
(in-ep-toc’-ra-cy) – a system of government where the least capable to lead are elected by the least capable of producing, and where the members of society least likely to sustain themselves or succeed, are rewarded with goods and services paid for by the confiscated wealth of a diminishing number of producers.
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]