I don't have time to really go into this right now as I'm headed to bed ...
I'm also not really an expert, I just remember reading some things in these boards from the real experts about it. Here is what I do:
1. Try never to allow arbitrary code from the URL (I try hard not to use the $_GET function. I typically only use $_POST.
2. I always make sure that the form submission parser I make looks for the actual form to be submitted. Sometimes I name the submit button something strange and then I look for that at the start of my parsing code:
Code:
<!-- Input Form HTML -->
<form>
..........
<input type="submit" name="submit" value="Register" />
</form>
PHP Code:
/****
* php page for parsing form submission data
*
****/
<?php
if $_POST['submit'] {
/* Do something with the form data */
} else {
echo "The form wasn't submitted properly. Please Try again.";
}
?>
There are other things to do also, like make sure only certain characters are present in certain form fields.
If someone is submitting a first and last name, there should only be alpha characters present in the field. If someone is submitting an email address, make sure it is a valid format and doesn't contain any illegal characters. In textareas, make sure there are no HTML characters present. Basically, make sure there is nothing but raw text.
There are a bunch of other things to do as well but they get more advanced, and as I said, I can't get into it right now!
~regards
Reply With Quote
