Having experienced the frustration of seeing your own site hacked in a short span of one month, I started exploring, through google, various options available for preventing "hacking". Of various things, mysql_real_escape_string() seemed to be one of the answers. Here is the code which I added in the php file which accepts some inputs from the user through a html form. function checkinput($value) { if (get_magic_quotes_gpc()) { $value = stripslashes($value); } if (!is_numeric($value)) { $value = "'" . mysql_real_escape_string($value) . "'"; } return $value; } There are two things which are happening. 1. strings like name or passwords from the user are refused to get added in the mysql database on the ground that strings with 'xxx' ( single quotes ) are not valid. 2. If I remove !is_numeric($value) line from the above code, the value gets added to the database. but characters like " and < , \ , or > are also easily getting added. ( seen in the database ) What is really expected to happen to the input provided by the user ? I expect that characters which can insert code into the database should be rejected. Can anyone guide ? Chiplonkar
Chiplonkar, Just use the addslashes() function on your data and ensure you have your data quoted and you will be fine. For example, query before: $Query="INSERT INTO tbl_users (user,pass) VALUES ($_POST['username'],$_POST['pass']);"; Code (markup): Query after: $Query="INSERT INTO tbl_users (user,pass) VALUES ('".addslashes($_POST['username']."','".addslashes($_POST['pass'])."');"; Code (markup): That will allow you to safely insert single quotes. If you don't want specific characters inserted, then you should strip those characters out, but if you are only concerned about the hacking aspect, the second example is safe for any characters passed. HTH
There was a fairly decent discussion of methods to secure user input in the following thread: http://forums.digitalpoint.com/showthread.php?t=113750 You may find the ideas expressed there helpful and it should make it harder for people to hack your site. However, remember that checking user input is only part of the puzzle. You need to be certain that any third party scripts are up to date and that you do not allow people to directly access scripts which they should not. You also need to be certain that your admin passwords are difficult -- longer than eight characters and a mix of alpha, numeric and other neither. You also need to be careful about the location from which you access the admin modules at your site. Avoid doing so from internet cafes and the like.