Moderator: General Moderators
requinix wrote: Upload directories inaccessible except through a "download" script
requinix wrote: 13. Single or double? Doesn't matter if you're escaping the values properly.
requinix wrote: 5. Use what's sensible.
Christopher wrote: 5-7. Not sure these are real security measures, but can't hurt.
Live24x7 wrote:requinix wrote: Upload directories inaccessible except through a "download" script
I did not understand what this means
Live24x7 wrote:requinix wrote: 13. Single or double? Doesn't matter if you're escaping the values properly.
What i meant is that putting single or double quotes around all values before putting them in your SQL to prevent sql injection.
Live24x7 wrote:requinix wrote: 5. Use what's sensible.
Isn't it better to keep url parameters different actual field names in database ?
global_erp_solution wrote:1.I don't really understand the XSS attack part. htmlentities() is useful only when you're trying to render HTML input to client's browser, correct? so when data flows out from the server into client? Suppose I never manipulate browser's DOM (because all server response are in text form), is it safe to say that my web app is immune to XSS attack?
global_erp_solution wrote:2. as for SQL injection and mysql_real_escape_string(), I thought escaping and wrapping the input string from user input is enough? I just do 4 things to achieve this objective :1. change all single quotes to \'
2. change all backslash to double backslash
3. change all double quotes to \"
4. wrap strings in single quotes
Users browsing this forum: Exabot [Bot] and 4 guests