To secure your site from SQL Injections and Cross-Site Scripting you must validate every user input field. And don't forget about url adress, you must verify $_GET data, too. There is a simple way to do this, without checking every user input.
You can do all with this function:
You can do all with this function:
<?php
/*
Online PHP Examples with Source Code
website: http://4evertutorials.blogspot.in/
*/
//$arr array to be checked, $html - bool to allow html tags ...
or not
function safe($arr, $html = false)
{
if(!empty($arr))
{
foreach ($arr as $key => $value)
{
//if is array, then check it too
if(is_array($arr[$key]))
{
$arr[$key] = safe($arr[$key]);
}
else
{
//if HTML tags allowed, only securing SQL injections
if($html)
{
$arr[$key] = mysql_real_escape_string($value);
}
//else stripping out HTML characters and
//converting new line to
and then securing from SQL injections
else
{
$value = nl2br(htmlspecialchars($value));
$arr[$key] = mysql_real_escape_string($value);
}
}
}
}
return $arr;
}
?>
Just put something like this in the beginning of your page $_GET = safe($_GET);
0 comments:
Post a Comment