A php coder has to take many precautions to prevent hacking and accidental adverse effects caused by users. It is so simple to secure your php scripts again common threats. The main threat being sql injections, which are attacks made through posting certain values in a query string or via a web form with the intention to gain unauthorized access to a database.

The easiest and most effective fix for sql injections is the mysql_real_escape_string() function. This function will escape, or backslash, any characters that will cause these issues. For example:

$username = mysql_real_escape_string($_POST['username']);

However, this is not the only thing you need to do in order to secure user posted data. XSS attacks, also known as Cross Site Scripting, allows a user to inject html and javascript into your database in order to perform actions like forcing your users to be redirected to a porn site, instead of their intended destination. This btw, is why I tell people NOT to use MySpace. MySpace allow these things to happen on a large scale and many PCs get infected with malware because of it.

strip_tags() is a function that helps a lot for preventing cross site scripting, but I developed a custom function that combines strip_tags() with various other functions in order to filter out as many bad possibilities as possible. My function first strips certain values out of the string that are used to form a javascript script via the web form or query string. Using htmlspecialchars() after using strip_tags() is a great thing to do also. Then you have htmlentities(), the big brother of htmlspecialchars(). htmlentities() does teh same exact thing, except it also converts quotes.

Always encrypt passwords, credit card numbers and other sensitive data. md5() is the most common function used, but not the best search php.net for more. There are many others that are built in functions, but you can also explore third party techniques. Also, if storing data encrypted, there is really no need to waste resources on the data validation unless the data is being decrypted.

Always assume that your users are a mix of hackers and n00bs. A hacker will purposely try to break you while a n00b will just break you and then wonder why things are not working, probably insulting you and your momma in the process. Learn to think as a hacker or a n00b would think. Navigate as they would, and enter data as they might.

This is a just a basic php security lesson, more will come at a later time. Always remember that there are people that really want to hurt you for no reason, just by proving their superior intelect by breaking your site. So, learn to think as they do and protect your scripts. You work hard one them and you do not deserve to be hacked.

© 2011, Crackfeed.Com. No reposting authorized.