Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Redex]

Security thread, done to the best of my ability

$_GET = an output because it’s getting something from the database.

$_POST = input because it’s inputting something into the database

Securing numbers

abs ()    - This determines that the number you post is absolute value

$_GET[‘number’]= abs($_GET[‘number’]) ;   

 An output because it’s $_GET & abs is makes sure it’s an absolute number

McCodes example

$_GET[‘ID’]=abs($_GET[‘ID’]); - this is a output because it’s $_GET & abs is making sure the number is a absolute value

$_POST[‘ID’] = abs($_POST[‘ID’]); - this is a input because it’s $_POST

Intval()

intval() – makes sure the number is not a decimal, and is a whole number.

$_GET[‘number’]= intval($_GET[‘number’]); 

 - This is an output because it’s $_GET & intval makes sure the number is not a decimal

McCodes example

echo intval(4.2);                     // 4

$_POST[‘money’]= intval($_POST[‘money’]);

Now, if we want a number which is not a decimal and is a absolute value you have to combine the two options we have above together example

$_POST[‘number’]=abs(intval($_POST[‘number’));

McCodes example

$_POST[‘money’]= abs(intval($_POST[‘money’]));

floatval()

floatval ( ) makes sure it’s a floating integer ( any number )

$_GET[‘number’]= floatval($_GET[‘number’]);

Mccodes example

$_POST[‘money’] = floatval($_POST[‘money’]);

$_GET[‘money’] = floatval($_POST[‘money’]);

Combine with abs to make the number more secure

$_POST[‘money’]= abs(floatval($_POST[‘money’]));

$_GET[‘money’]= abs(floatval($_GET[‘money’]));

mysql_real_escape_string

mysql_real_escape_string  - escapes special characters in a string

$_POST[‘string’] = mysql_real_escape_string($_POST[‘string’]);

Only use  mysql_real_escape_string  on Input’s $_POST

McCodes example

$_POST[‘user’] = mysql_real_escape_string($_POST[‘user’]);

Stripslashes

Stripslashes -stripslashes from a string

Example:

<?php
$example = “Hello blah what\’s up ? “
echo stripslahses($example);
Output would be Hello blah what’s up?

htmlspecialchars

htmlspecialchars - Convert special characters to HTML entities

Example:

$link = htmlspecialchars (“<ahref = ‘test.php’> Test  </a>  “

Htmlentities

Htmlentities – converts all applicable characters to html entities

<?php
$str = "A 'quote' is <b>bold</b>";
echo htmlentities($str);

That’s the end of my tutorial. If there is anything wrong, can the experienced coders please correct it. Thanks, but at least I attempted a tutorial

[Danny696]

<ahref && <b> is invalid HTML. its <a href, the single word, will not work. and <b> has been depricated, use <span style="font-weight: bold;"> 
The php word int means it can be +/- 2,147,483,647.
 float seems to be more for decimals there for making the statement

floatval ( ) makes sure it’s a floating integer ( any number )

invalid.

$_GET = an output because it’s getting something from the database.
$_POST = input because it’s inputting something into the database

As said on MWG's, is wrong, it hasn't got anything to do with the db, its a reseved super globals,

The built-in $_GET function is used to collect values from a form sent with method="get".
The built-in $_POST function is used to collect values from a form sent with method="post".

And that makes the bolded parts of this invalid:

$_GET[‘ID’]=abs($_GET[‘ID’]); - this is a output because it’s $_GET & abs is making sure the number is a absolute value
$_POST[‘ID’] = abs($_POST[‘ID’]); - this is a input because it’s $_POST

[Danny696]

Not trying to put you down, just telling you where you could inprove

[Redex]

That's a better response than other forums, all criticism is accepted but just no need to do it in a informal, idiotic way