Date: 05/25/06 (PHP Community)    Keywords: html, database, sql, security

Currently I'm working on a small and simple blogger for someone.  It doesn't have to be anything extraordinary or anything, however, of course, I want it to be as secure as possible within my means.

I've heard all of the horror stories of SQL injection and whatnot where users input bad things to make bad things happen and that there is a general rule about NEVER letting the user input directly into a database without cleaning it up.

Well... in this case, it isn't that simple.


I don't want to really limit what characters the user can enter in (except for html.. That I'm stripping out).  But, I don't want to limit it to alpha-numerical characters.  So, I thought of another way where the user has more freedom, but I'm hitting some walls with it... and perhaps some of you could let me know if you see any glaringly obvious problems.

I was thinking of having the users input sent to a text file.  A file, automatically named, maybe by timestamp or whatever, that contains the text the user has entered.  Then, the DB would only contain the name of the file created, its ID number, and the user associated with it.  Then, when viewing them, simply pull the name of the file from the DB, fopen and fread it and echo the results.  I have the open and reading part working, however... I want to avoid people being able to go to that file directly (by some stroke of luck by guessing its name).  So... my two concerns are:

1. Are there any obvious security issues by doing this with external files?
2. Is there any way I can prevent direct opening of these files?

Thank you in advance.

Source: http://community.livejournal.com/php/453279.html