So this week I'm going to secure my PHP application as much as possible. I retrieve data from the database a lot, so I need some basic tips that would help me secure the below code.
Thanks, im just a newbie.
<?php
mysqli_select_db($connect,"users");
$select="select * from members";
$result=mysqli_query($connect,$select);
$row=mysqli_fetch_array($result);
//this is what i want to secure -- down
$a = $row['name'];
$b = $row['add'];
?>
Thanks.
Encode everything from user input / database you want to display in the browser with htmlspecialchars() to avoid XSS.
htmlentities. Use the proper function which in this case would be htmlspecialchars, and you need to set the proper characterset. htmlentities is completely unrelated to security from any standpoint other than the fact it's a superset of htmlspecialchars functionality.
You basically need to secure BEFORE sending data to the DB (against SQL injection), and BEFORE outputting to html (against XSS). Those things are important, while inside your script almost everything is pretty much harmless (and can lead to errors on subsequent codes, btw).
At first hand, do you have any security when inputing data in your database ? You code may be vurnalable to SQL Injection if you do not sanitize your data when inserting into the database. For that - check this function http://php.net/manual/en/mysqli.real-escape-string.php
Another thing is that, html and javascript can be inserted in your database, and if you do not escape it and use print that data to HTML, you are vurnalable to Cross-Site-Scripting . You should escape your data using http://bg.php.net/manual/en/function.htmlentities.php. or http://bg.php.net/manual/en/function.htmlspecialchars.php
Security is a big topic, but this can be a start for you - escape your input first, then take care of the output.
