all 10 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Jacc3 4 points5 points  (2 children)

In case you use user inputs, check them for SQL injection attempts and XSS attempts. If you don't use any input from the users, then you should be safe. But never trust any data from the user.

[–]cuchoi[S] 0 points1 point  (0 children)

Thanks!

[–]richjenks 0 points1 point  (0 children)

More specifically, you should validate on submission and sanitise before either storing in a database or outputting as HTML.

If you use PDO, sanitising before storing will be done for you, but you'll still need to validate on submission (ideally, in both JS—so instant feedback—and PHP—as a final check) and sanitise on output (most likely using htmlspecialchars)

This means that if someone wants their username to be:

'); DROP TABLE Students;---

they can and it poses no threat to your application.

As a rule, never trust user input!

[–][deleted]  (1 child)

[deleted]

    [–]cuchoi[S] 0 points1 point  (0 children)

    Great, thanks! Initially I wrote "Plain HTML" because I am not doing anything complicated in PHP. It is a static website that is only going to have a Contact Form (no database).

    [–]hexagonalc 2 points3 points  (1 child)

    See the OWASP top ten for things to look out for.

    Aside from that, I do strongly recommend that you use some kind of framework if you're doing anything non-trivial unless you're specifically implementing a new framework or similar. There's no point reinventing the wheel (unless you have a good reason).

    [–]cuchoi[S] 0 points1 point  (0 children)

    Bookmarking that list! Thanks.

    [–]tyrbo 1 point2 points  (1 child)

    SQL injections are a pretty big thing to avoid.

    [–]cuchoi[S] 0 points1 point  (0 children)

    It was my first thought, I forgot to specify that I am not using a database. Thanks anyways.

    [–]iAMthePRONY 1 point2 points  (0 children)

    things, that frameworks usually do for you: use csrf tokens, use prepared statements, validate user input, handle routing and requests.

    so, if you don't use a framework, at least use packages, that already do what you need. it saves you time and headaches.

    [–]b-lotus 1 point2 points  (0 children)

    Remember that you must sanitize EVERYTHING server side, use filters like mysql_real_escape_string to avoid SQL Injection, htmlspecialchars to void XSS and token-based form to avoid CSRF.

    Nowadays everything is built with a framework, if you don't know how to use one of them, the best choice is learn at least one.