> GT> seems to be the common behavior. Is there a way someone can extract my php > GT> file without this transformation? > > In a nutshell - no. > > Not without your server being compromised (i.e. hacked into or > misconfigured). > > GT> One of the things I'm starting with is a simple blog/guestbook. I have a > GT> couple form fields and I strip_tags ... what else should I be doing? I want > GT> to leave the guestbook pretty open, so I don't want a sign-in and > GT> confirmation thingie. I don't even mind anonymity, cuz I can edit the > GT> comments later if I want. > > Check for SQL injection possibly? (assuming you are even using SQL) > and make sure you addslashes (or test to see if that is being done for > you) and that's about it. > > Depends how "anal" you want the script to be though :) I mean you > could check everything.. from strings to integers, to string length, > to IP address (flood control), to duplicate entries, etc etc etc. > Really a "how long is a piece of string" scenario here.
Hey Richard, Thanks for the quick response. I'm thinking of adding a check for the string length, so someone doesn't copy and paste a dictionary into my guestbook, but I'm not looking at flood control because the comments might be somewhat conversational. I have a couple PHP books (like the PHP Cookbook, PHP: Read Less, Learn More) and a couple PHP/mySQL books and I can't seem to find anything about that "transformation". Are there other books that describe what actually happens? Is that on php.net somewhere, and what kind of keywords should I use to find it? I don't think "transformation" is the right word. Also, perl has "strict", which is to prevent other people from running your scripts from their server. I added strip_tags to prevent someone from running code on my server. Have I got my a** covered? Thanks Gabino -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
