php-security
internal function calls only:
<?php //no direct access
defined( '_JEXEC' ) or die( 'Restricted access' );
?>
strip_tags: remove html & jscript from any entry form
<jscript do hack>
//if a parameter is added certain tags will be allowed
echo strip_tags("<script>alert('test');</script>");
will output
alert('test');
htmlentities() //converts a < to a ń
md5() //stores a hash of a password, later just check
sha1() //against user typed in & hashed again, ie
//website NEVER stores plaintext user password
stripslashes: remove any slashes from any entry form
/../../../etc/passwd
http://uk3.php.net/stripslashes
ensure user inputs integer, intval()
$sql="SELECT * FROM product WHERE id=" . intval($_GET['id']);
similarly you can use casting...
$id = (int)$_GET['id'];