I'm just starting with MySQL (started with PHP not too long ago). I wanted to get the opinions from people who "know what they are doing" when it comes to this stuff (eg people unlike myself).

I plan on making a code-based site, so I want people to be able to post basic code examples, and I want live anchor tags (if that makes sense). In short, what is generally good to allow and disallow? What characters should just shut the system down and refuse entry? What characters are generally acceptable?

For example a MSDN site somewhere suggesting disallowing the the semi-colon, double-dash, html-brackets, etc..

Right now I have this sloppy mess for the actual message that would be stored (first try at it, so don't laugh)java script:emoticon(':(',%20'smid_2')



Sorry for such a broad question, but in general, what should I trash, and what do I need? Or better, what are the top 5 things to look for (protect against)? Thanks!

-Stubbs

<edit>I just realized that none of this will show up. I hope you guys get the idea</edit>

I think the "some characters good, some characters bad" idea is _exactly_ the wrong approach.

If your users upload "content", strings, then you let it contain any characters they like. Use the proper escape function when you write it to the database and there is no problem.

The other thing to avoid is anything that looks like mysql_query($_POST['something']). Never let the users send you anything other than strings. If they send names, make the names be some key in a database table, and there will never be any problem. They can happily have something identified by "/etc/password", or any of those Windows scam addresses ("../../whatever"), and as long as this is a key in the database, there can be no problem. Though it's easy to make identifiers be alphanumeric or even numeric.

Not laughing, but I'd throw away this idea of just replacing this by that. It looks too much like M$ style == paste the "security" on afterwards.

Thanks for the response and advice. Just what I needed to know (I'm taking the wrong approach). I've seen a lot of info on mysql_real_escape_string, which I think goes with what you're saying, but I have the feeling that I need to study this whole thing more first. Cheers!