Date: 04/24/06 (PHP Community)    Keywords: php, mysql, html, sql, security, web, spam

Hi everyone,

I'm looking for some advice on some simple security measures. I deal with a political web site that wouldn't necessarily be sticking its neck out for malicious attacks but has received some spam attention on its forms already, and I worry as we store more data in a MySQL db (is it wrong to store a mailing list there?) that an injection could get in and send out sensitive information or potentially attack our larger parent organization that provides us with server space.

Basically I have the same kind of simple form doing the same thing in a few instances of the web site. The form has about 20 fields, most type text some textarea, and a few of type file (for resumes, applications, etc). I don't currently copy any of the files to the server because I don't have access to, so I email them (via PHP) to myself or whoever the coordinator is. I don't currently have anything in place except for strip slashes and/or remove html in some cases, but I know that these measly little concoctions don't do anything to protect me from a sophisticated (or hell, even newbie) attack.

What kinds of things should I be doing? I should probably be processing strings to make sure that they don't have any sql in them or make it so that the user is blocked from having access to damaging things, but I don't know what signifiers to look for or even what functions to use. Anyone have any basic suggestions or advice, or a link to a source that might help me beef up my data police? Thanks in advance!

Source: http://community.livejournal.com/php/443711.html