Security Info[Revamped]

[Guest Drizzle]

Okay, Well this is an update from my last security tutorial, please feel free to tell me if i missed anything.

abs - Checks if a number is a positive value.

intval - Checks if a number is a number and not alphabetical characters. Also makes sure its not a decimal. If you plan on checking decimals, see (floatval) below.

floatval - Checks a integer to make sure it is a decimal. This is usually used for big numbers, or like, strength,guard(in mccodes), that have decimals.

mysql_real_escape_string(aka mres) - Escapes special characters ran in a sql statement. Very useful, and i always recommend functions that use direct php functions, as user-made functions are not always reliable.

htmlentities - Removes all html characters to which variable it is applied. It gets rid of <>!#$&%*)({}][' ";,. etc. Very useful against an xss attack. But be careful of the use of this too much. If you dont want to remove everything, but remove some, either refer to htmlspecialchars(recommended) and str_replace(takes more time to write, but still can be very useful if u dont like what the other 2 do.

htmlspecialchars - Removes ampersands, double quotes, single quotes,less than signs, and greater than signs from which it is applied. Useful if u just dont want quotes in ppls names, etc.

stripslashes - strips a string or value of any slashes. Sometimes when used with mres, they cancel out each other.

addslashes - adds slashes to values. Not sure what this could be used for. Im sure if you'd want your value to contain slashes, you could use this, but im not sure who would like slashes on there variables for others to see. Could be useful if u just trying to do this to where only u or certain staff can see. but that parts an opinion.

ctype_digit - Checks if all characters in a variable are numerical. Useful for things such as(another mccraps example): crystal market, because if u check if the amt being bought is a number, along with abs intval, will make it ALMOST impossible to hack the crystal market. Still xss to clean up.

ctype alnum - Checks if all characters ina variable are both alphabetical and numerical. Useful to check for # in urls, which, if u dont know already, # is php comment tag, and if that tag is able to be used in your url, they can drop any tables that are opened in crystal market. One important one is usually a users table, that contains user data. So make sure, i dont care what function u use, always check for illegal characters in url's.

ctype_alpha - Checks if all characters are alphabetical. no special chars, no numbers, or it will error, which is good for you, if u understand the debug system(which i will talk about later, its my idea of a debug thing, but who knows).

sprintf - Not really security. It formats queries, print, echo, etc. when applied correctly. see php.net for the commands that it uses. Usually, if you dont have super fast servers, this slows your site down, but somehow i just feel without this, ppl can do rfi attacks and things, but not sure.

vprintf - the equivalent to sprintf, but for arrays. I believe you can sprintf arrays, but u should use vprintf if anything, because its made especially for arrays. I believe this runs off the same commands as sprintf does.

strip_tags - useful for inserting and uninserting html to/from the database. First of all, there should be absolutely not html in your database, because some html can be used for xss. But if you do insert it with tags, remember to output it with strip tags so they dont show, thus making a possible attack harder.

whitelist array - not a function, but a method. I wil not be giving too much about this, as you need to learn how i have to learn. Now in mark twains view, the self taught man is ignorant. This is the case if the man has no self discipline. Without self discipline, you will never learn anything correctly. But with self-discipline, self-taught is worth it. Same for the man that knows so much, he wont listen to others. That can be bad really, because it shows that the man is nothing but ignorant and will never get too far unless he knows self-discipline. Just trying to state a point.

Anyway, a whitelist array would be something like... !in_array(array("var","var","var"), $var) usually used with if. Useful to check other variables with.

blacklist arrays are ok, but u can miss many things in them.

Any other ones please tell me.