What's the best way you guys found to authenticate your form submissions so you're protected against people pumping crap into your site remotely? Is there a best practice to this?
In regards to safety, the two functions strip_tags() and mysql_real_escape_string() should keep you safe. /* * Created by: Stefan van Beusekom * Created on: 31-01-2011 * Description: A method that ensures safe data entry, and accepts either strings or arrays. If the array is multidimensional, * it will recursively loop through the array and make all points of data safe for entry. * parameters: string or array; * return: string or array; */ public function filterParameters($array) { // Check if the parameter is an array if(is_array($array)) { // Loop through the initial dimension foreach($array as $key => $value) { // Check if any nodes are arrays themselves if(is_array($array[$key])) // If they are, let the function call itself over that particular node $array[$key] = $this->filterParameters($array[$key]); // Check if the nodes are strings if(is_string($array[$key])) // If they are, perform the real escape function over the selected node $array[$key] = mysql_real_escape_string($array[$key]); } } // Check if the parameter is a string if(is_string($array)) // If it is, perform a mysql_real_escape_string on the parameter $array = mysql_real_escape_string($array); // Return the filtered result return $array; } PHP: In regards to actual data validity; if(strlen($string) > 10){ echo 'Response must be 10 characters or less.'; } PHP:
People should stop using magic_quotes, its deprecated and will be completely removed from upcoming php version.. Scripts benefiting from magic_quotes are not portable anymore..
Hi... strip_tags(), mysql_real_escape_string() and "stop word" list preg_match / finding with foreach are the best ways. Stop word list is critical, you can put important SQL queries with punctuation to avoid matching with normal English words.