SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Evangelist
    Join Date
    Apr 2007
    Posts
    398
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    PHP checklist for form validation advice please?

    Evening all

    I collect personal data from my users on my website and place it in a MYSQL database. Now I want to make 150% sure this data is safe, and can't be hacked, changed or accessed by a hacker.

    Here's the steps I currently run through:

    1) I have magic quotes turned off
    2) I have register globals turned off
    3) All $_POST data I pass on my form runs through mysql_real_escape_string, trim, html_entities and strip_tags like so

    PHP Code:
    $your_name trim(mysql_real_escape_string(htmlentities(strip_tags($_POST['your_name'],ENT_QUOTES)))); 
    4) I run regular expressions on my site for things like checking the validity of an email address etc...

    5) I have a CATCHPA system in place

    Now, I know that things like using Prepared Statements is best for making sure no attack takes place, and I am getting to a place whereby I will start using them.

    But for now can anyone tell me that if I am doing all the above on my form that my data is safe, has all the correct procedures in place and it won't be hacked?

    Thank you

  2. #2
    SitePoint Wizard rguy84's Avatar
    Join Date
    Sep 2005
    Location
    Durham, NC
    Posts
    1,659
    Mentioned
    5 Post(s)
    Tagged
    0 Thread(s)
    You should be fine against SQL attacks, but your site can always be hacked...
    Ryan B | My Blog | Twitter

  3. #3
    SitePoint Evangelist
    Join Date
    Apr 2007
    Posts
    398
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You should be fine against SQL attacks, but your site can always be hacked...
    Thanks but in what way? Nothing else I can do to stop this right in my 5 checklist I have in place? Or do you mean just via other means by supergeeks that is sometimes beyond your control?

  4. #4
    SitePoint Wizard rguy84's Avatar
    Join Date
    Sep 2005
    Location
    Durham, NC
    Posts
    1,659
    Mentioned
    5 Post(s)
    Tagged
    0 Thread(s)
    The second... other ways, brute force, ddos, etc
    Ryan B | My Blog | Twitter

  5. #5
    SitePoint Enthusiast descarte's Avatar
    Join Date
    Nov 2006
    Location
    melbourne
    Posts
    25
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Looks good to me...

  6. #6
    SitePoint Addict beebs93's Avatar
    Join Date
    Jul 2010
    Location
    Vancouver, Canada
    Posts
    207
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by rguy84 View Post
    The second... other ways, brute force, ddos, etc
    Would implementing "only so many login attempts allowed per second" code prevent this 100% or simply reduce the likelihood?

  7. #7
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    I think there are 2 issues here.

    1. Keeping the hackers at bay, an ongoing job as you've described, which you seem to be addressing.

    2. Encrypting the personal information so that IF you are hacked, or somehow your data is intercepted en-route, or from a backup (on your laptop?) that data cannot be traced back to its owner and remains anonymous.

    I think it depends on what you mean by "personal data", passwords? Ages? addresses? preferences?


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •