1

I'm creating a script on my main server and will use js/html to call it as an image source, passing the current tumblr page's referrer variable so I can integrate my blog's stats into my main stat-tracking db.

Anyone who looks at the source, of course, will be able to see that this script can accept a url variable via get. I'm not much of a security wonk, but I'm using the following checks on the input to this var, currently:

$previous_referrer = htmlspecialchars($_GET['ref']);
if (filter_var($previous_referrer, FILTER_VALIDATE_URL) && strpos($_SERVER['HTTP_REFERER'], $tumblelog_url)!== FALSE)

I'm guessing it isn't this simple. What other checks should perform to lock it down against injection attacks?

Improve this question

1 Answer 1

Reset to default
1

For inserting data safely in a database :

1) Before inserting in DB

Filter data :

  • Does my data had the expected type/patern (email,url ....)

The main purpose of filtering in first is to avoid processing useless data

Prevent from sql injection :

  • if inserting a number use function like intval(),floatval()
  • if inserting string use function like mysql_real_escape_string (for mysql only) or prepared statement.

2) After insertion , before display

Prevent Xss by using function like htmlspecialchars() or htmlentites().

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.