Recommended:

  • phpclasses.org
  • jsclasses.org
  • jsmag.com
  • siteapps.com
  • View our reviews on Hot Scripts
  • JS Tutorial
  • scripts.com
  • securesignup.com




Recent Comments

Powered by Disqus




Back to articles

Preventing SQL Injections and Cross-Site Scripting

To secure your site from SQL Injections and Cross-Site Scripting you must validate every user input  field. And don't forget about url adress, you must verify $_GET data, too. There is a simple way to do this, without checking every user input.

You can do all with this function:

<?php
//$arr array to be checked, $html - bool to allow html tags or not
function safe($arr, $html = false) 
{
    if(!empty($arr))
    {
        foreach ($arr as $key => $value)
        {
            //if is array, then check it too
            if(is_array($arr[$key]))
            {
                $arr[$key] = safe($arr[$key]);
            }
            else
            {
                //if HTML tags allowed, only securing SQL injections
                if($html)
                {
                    $arr[$key] = mysql_real_escape_string($value);
                }
                //else stripping out HTML characters and 
                //converting new line to <br> and then securing from SQL injections
                else
                {
                    $value = nl2br(htmlspecialchars($value));
                    $arr[$key] = mysql_real_escape_string($value);
                }
            }
        }
    }
    return $arr;
}
?>

Just put something like this in the beginning of your page $_GET = safe($_GET);


You may also be interested in:

Powered by BlogAlike.com

blog comments powered by Disqus