Essential PHP Security

Thursday, 17 August 2006 @ 4:41

I recently finished reading Essential PHP Security by Chris Shiflett (O’Reilly). It was a good, quick read, and for me it was mostly a review of principles I had previously read on Chris’s blog. The main principles are filter input and escape output. Using separate arrays for each kind of data is a best practice:

// filter input and assign it to the “$clean” array
if (ctype_alnum($_POST[’name’]))
    $clean[’name’] = $_POST[’name’];

// escape HTML output with htmlentities()
$html[’name’] = htmlentities($clean[’name’], ENT_QUOTES);
echo “You entered the name $html[name].”;

// escape MySQL output with mysql_real_escape_string()
$mysql[’name’] = mysql_real_escape_string($clean[’name’]);
mysql_query(”INSERT INTO table (name) VALUES (’$mysql[name]’)”);

After reading the book I was only left with one question: is HTTP Authentication over SSL fairly secure? (I assumed it would be.) I emailed Chris with my question and he responded quickly in the affirmative. Thanks, Chris.

respond to post

You must be logged in to post a comment.

pages

categories

events

syndication

random members

Utah PHP Users Group

recent posts

recent comments

recent job announcements

search

administered by Anavi Design
colocated at Tier Four