* form manipulation - a security Question

[unistake]

Hi all,

 

I have heard stories that hackers/viruses or basically something that you don't want uploaded to a server through a website form have been able to type some sort of code in to a html form field to access information.

 

I know how to control the length of fields, how to validate that an email address is in the correct format etc. - but when it comes to having a textfield for the user to add up to 2000 characters of their own words, how can I protect from malicious code being inserted?

 

The textfield is located inside the user area but anyone can join, so anyone ultimately can enter code!

 

Thanks for the help. 

[Rifts]

stripslashes() and htmlspecialchars()

[Pikachu2000]

Without knowing how the data in that field will be used, there's no way to answer the question with any degree of accuracy. Will it be inserted into a database, added to a file, redisplayed immediately, or . . . ?

[unistake]

it will be stored in a mysql database and then displayed when called for in php.

[Pikachu2000]

Since it's string data, you'll want to use mysql_real_escape_string() (or mysqli_real_escape_string if you're using the mysqli extensions) to escape characters that would be used in sql injection attacks. Note that you need a connection established to the database for mysql_real_escape_string() to work.

 

mysql_connect( details, etc.);

$textarea = mysql_real_escape_string($_POST['textarea']);

 

"INSERT INTO table (field) VALUES ($textarea)";

 

When you retrieve and display the data, that is when you'd need to use a function such as htmlentities(), and/or possibly strip_tags() to help prevent XSS exploits.

[unistake]

Thanks Pika,

 

I will give that a go when I need it soon.

 

do you know of any articles on these attacks, I would like to know more for security?

 

[Pikachu2000]

If you just google preventing SQL injection and preventing XSS, you should get plenty of results. you can always questions here, too.

[unistake]

thanks