Jump to content
Larry Ullman's Book Forums

andylorenz

Members
  • Posts

    4
  • Joined

  • Last visited

andylorenz's Achievements

Newbie

Newbie (1/14)

0

Reputation

  1. I think i get. Recently i'm using ajax call to generate some html page and i started to get datas from a php file, I noticed that the javascript inside the php file didn't work, so i moved the javascritp in the main html page that run the ajax call. Probably you need to execute the javascript if you want it to work. This is better to me since i'm concerned security. I think i can start my project, i have some other points to take care as not allow upload all kind of files in the file system manager (this is in the documentations, i need only to read well and test door i can leave open) i can't go out of the root in this project (i have sort of little public folder space) so i thought to create backend application inside a folder with alphanumeric name impossibile to get and not use a directly password and username access in the index page (you need to know where is the url of backend), then i will create username and password in this hidden page (i can do it since is projject for 3/4 users). All other things i see are in the book (about best way use password security, about cookie or session, etc.. ) About mysql injection i think I get and it's all written in the book I think i'm ready to start write something without worry a lot about security (that is topic i confess I don't like very much, but it's very important study) Thanks Larry again your very important help to learner
  2. Larry i need another little help for my little amatour project I know exist danger someone in a input text field write html code for example javascritp, and i know someone can write sql code for inject your database, this is reason you need to filter, check, valdate, prepare statement and use all technique that professionists people teach you but, in theoric question, supposing i use nothing for good security, is it possbile to write in a input text php code and use it to create problem your site (for example i imagine submit a form where someone write a scritp in php that make a scandisk of a folder)? i made some test and don't seem possbile do it, i also tried to look at in internet and i didnt' see it (but sometimes is not simple google something because you don't know english perfectly well or you don't know specific name of something) i ask to convalidate this impression and if is possbile know why is not possbile inject php code since i dont' get very well Thank Larry your help and patience
  3. Hello Larry and Hello Community, I bought book php and mysql for dynamic web sites in english from USA since i didn't see it in my native language. I gave a look all book for make general feeling and then i will read better and careful example and teching suggestions. Book is very very good in my opinion. My question is about what is best techinque to store html inside mysql database. I'm studying a bit how work CKeditor, but i think many html editor work more or less in same way, and it use a textarea to collect the html, so what you really need to do after a submit or similar processes is simply get the value of texarea and use php to store html in database. I'm asking how handle security, quote and double symbols or other problems. If i have understand i can use directly mysql_real_escape when i get textarea, simply before send html inside mysql or i can use prepared statement and in this case i think i can't use mysql_real_escape so i need pheraps to use htmlentities. I'm a little confuse about conflict you could have use both htmlentities, prepared statement, mysql_real_escape, etc.. I'm not exactly sure how i is best way general speaking in term of 100% secutiry and in term or not ruin html inside mysql and also i'm not sure what is procedure to make the contrary, i mean get html from mysql and serve i in page. Thanks very much. Andrea
×
×
  • Create New...