Welcome to Bucaro TecHelp!

Bucaro TecHelp
HTTPS Encryption not required because no account numbers or
personal information is ever requested or accepted by this site

About Bucaro TecHelp About BTH User Agreement User Agreement Privacy Policy Privacy Site Map Site Map Contact Bucaro TecHelp Contact RSS News Feeds News Feeds

Basic Dynamic Website Security

At a most basic level, PHP can be used to simplify the navigation of a website by using the include function. This, added to each page of the website can be used to include a html file that contains the sites navigation links. The main advantage of this is that the webmaster can simply alter that one file, instead of every single page on the site.

Obviously if your site has thousands of pages, this is going to save you some time! The include function basically tells the server your website is hosted on, to take what's in the included file and put it into the code of your page. Typical use of the include function is as follows:

When the page loads, you won't see the PHP code but instead see the contents of the included file. In the case above, you would see your navigation links etc where they should be.

The next step up in using PHP to enhance your site is for a contact form. This is where the first security concerns come up. A contact form will allow anyone to enter data into the fields which is sent to your PHP file that processes that data. User entered data must never be trusted!

There are many things a typical user can do which may cause you annoyance, or in the case of a purchase form, cause you to never receive the order, e.g. mistyping their email address! This is why form validation is important. When a user makes a mistake regarding form field input, they should be notified by your form processing script, and instructed to correct the mistake and resubmit. This is usually quite a simple thing to do by using regular expressions to validate email address and using a random anti-spam number generator to stop spam bots.

Do not use CAPTCHAs! They are completely over rated and extremely frustrating to most users. A simple five digit number that is randomly generated and rendered out as a picture will suffice to stop automated form filling bots.

So, some simple validation techniques and a random number picture generator will suffice for 90% of the webmasters and blog owners out there. If you plan on using MySQL with some aspect of your website, such as letting users upload information for things like profiles etc, then you will need to go a step further.

The biggest threat is an MySQL injection attack. This is where a user types in some PHP and SQL code into a field in your form. That data is then sent to the form, and your processing script interprets that as commands and functions, not as raw text. So if someone where to send an SQL string that looked something like "DELETE * from myblog", every record in "myblog" would be deleted and that would be the end of your blog, posts and comments to boot!

Other sneaky things people may try to do include sending a set of commands to your script that result in them being able to place a link somewhere on your site. This is often done by using the fwrite function to append code to one of your html files.

These are no small issues, they must be addressed or people could wreck your plans for internet domination! The solution is very simple. There are two functions that can be used to help secure your forms and scripts. The first is to use a function known as strip_tags($myvar), where "$myvar" is the variable that contains the input from the form. A working example would look something like this:

$name = strip_tags($_GET['namefieldfromform'];

This strips any tags that the user may have entered into your form. It's useful for stopping people from adding in their own links to websites in things like comments. The other and more important function is mysql_real_escape_string(). It is a little trickier to use but still quite easy to implement. First you must construct the query you are going to send to your database:

$query = "INSERT INTO image (sourceurl, thumburl, ratings, dateadded, description, submitedby, category, keywords) VALUES ('$efilename', '$thumbname', '0', '$date', '$desc', '$name', '$cat', '$tags')";

You would then escape those variables that are in the query thusly:

mysql_real_escape_string($efilename);

mysql_real_escape_string($thumbname);

mysql_real_escape_string($date);

mysql_real_escape_string($desc);

mysql_real_escape_string($name);

mysql_real_escape_string($cat);

mysql_real_escape_string($tags);

This will ensure that those variables have no harmful text or code inside them, and so are totally safe to use with the database. Remember to never trust information that is entered by users, as you never know who might be trying to cause trouble!


Tom C W Higgins Provider of advice for start-up webmasters and web based ftp clients.

More Web Design Coding Issues:
• What is AJAX?
• Seven WordPress Security Tips
• Web Design Troubleshooting Guide
• Basic Dynamic Website Security
• Create a Simple, Effective PHP Form for Your Web Site
• Video - Optimizing the Order of Scripts and Styles
• What is a Web Service?
• Six Ways to Center an Element on a Webpage
• Video - HTTP caching
• How to Set Up a Google Search Box on Your Website

RSS Feed RSS Feed

Follow Stephen Bucaro Follow @Stephen Bucaro


Fire HD
[Site User Agreement] [Privacy Policy] [Site map] [Search This Site] [Contact Form]
Copyright©2001-2024 Bucaro TecHelp 13771 N Fountain Hills Blvd Suite 114-248 Fountain Hills, AZ 85268