| 
		
			| privately coded message board [php & mysql] [message #246788] | Sat, 24 February 2007 16:45  |  
			| 
				
				
					|  lookitzhiep Messages: 12
 Registered: May 2006
 
	Karma: 0
 | Recruit |  |  |  
	| I've been developing my own message board in PHP and MySQL. I wanted to ask a question before I further my development. Is this a bit safer method to coding my own than to use one such as IPB and vBulletin? 
 I was thinking since its my own, the exploits would be harder to find since the source isn't available, right?
 
 Another question to pose as well; I'm addslashes()'ing any data being inserted into the database and stripslashes()'ing any data being displayed. Is there any flaw to this as well as a better way to prevent XSS and SQL injections?
 |  
	|  |  | 
	|  | 
	|  | 
	| 
		
			| Re: privately coded message board [php & mysql] [message #246801 is a reply to message #246797] | Sat, 24 February 2007 17:20   |  
			| 
				
				
					|  lookitzhiep Messages: 12
 Registered: May 2006
 
	Karma: 0
 | Recruit |  |  |  
	| | genetix wrote on Sat, 24 February 2007 18:11 |  | If you are at the stage in PHP developement where you are relying on addslashes then I wouldn't recommend moving onto a large project such as a forum.
 
 You will want to convert all characters to entities for sure.  If you don't do that you will run into trouble.  This also makes it so that there aren't any restrictions needed as far as quotes goes.
 
 I would recommend hanging out here for a while first:
 http://www.devnetwork.net
 
 | 
 Thanks for the link, I'm really just a beginner in PHP. I began to learn it as I had interest in coding one myself. I bought a book recently and its just getting me on my feet with the basics so I wouldn't know of such yet.
 
 Entities would be when a character such as "<" appears as "<" right? That seems much better than having to addslashes() and stripslashes() everything! Thanks! Though if I apply this method, would I still need to filter URLs out?
 [Updated on: Sat, 24 February 2007 17:20] Report message to a moderator |  
	|  |  | 
	|  | 
	|  | 
	|  | 
	|  | 
	|  | 
	| 
		
			| Re: privately coded message board [php & mysql] [message #246914 is a reply to message #246788] | Sun, 25 February 2007 15:11   |  
			| 
				
				|  |  Crimson Messages: 7431
 Registered: February 2003
 Location: Phoenix, AZ
 
	Karma: 0
 | General (5 Stars)ADMINISTRATOR
 |  |  |  
	| If you're paranoid about security for your forum, FUDForum is the way to go. The guy who develops it not only wrote a book on PHP security, but he's also on the team that develops the language of PHP itself. That's why I use it on all my forums. 
 I'm the bawss.
 |  
	|  |  | 
	| 
		
			| Re: privately coded message board [php & mysql] [message #246958 is a reply to message #246903] | Sun, 25 February 2007 22:00  |  
			| 
				
				|  |  Whitedragon Messages: 832
 Registered: February 2003
 Location: California
 
	Karma: 1
 | Colonel |  |  |  
	| | danpaul88 wrote on Sun, 25 February 2007 16:12 |  | Also a fairly new forum system which I personally like a lot better than phpBB is SMF, check it out at www.simplemachines.org
   
 | 
 SMF is good. I find the code easy to work with and its mod package system is very handy.
 
 Black-Cell.net
 Network Administrator (2003 - )
 
 DragonServ, Renegade's first IRC interface bot
 Creator and lead coder (2002 - )
 
 Dragonade, Renegade's first server side modification
 Lead coder (2005 - )
 |  
	|  |  |