Hello. So there are lots of discussions why is PHP bad for big projects. Mainly it's because of ability to hack it easily. One of examples is SQL injection. I gonna have to write an internet shop for my sister soon (she asked me to), but I have a low web-development experience, that's why I'm asking.

As I think I can't understand how can someone hack my web-page if I check each variable each time I use? Like the name is letters only, phone is numbers and + only, no spaces and so on... I think so at least. (and after checking I would copy it to new variables) and I would check them all: get, session, cookies, post. I'm not very experienced in hacking web apps.

So, am I wrong? (probably yes) PHP has one big advantage that hosting it is cheap. It's pretty simple to find a cheap, good server to host your PHP web-page. Is there any alternative to PHP which would be safer (I still would be unsure about the security if I didn't write a function that would check) and still, easy to find where to host.

I just have no idea what else I could pick up as my main goal is to make it safe and easy to find a cheap hosting.

__________________

How to set up portable C++ IDE (Dev-C++)

Writing in C or C++ is like running a chain saw with all the safety guards removed," — Bob Gray.

No matter which language you use to code, you will have code so that it is not possible to hack your website using SQL injection. I would suggest you read up about how SQL injections work.

How you can protect yourself:

PHP: mysql_real_escape_string - Manual If you are using simple PHP's MySQL functionality.

If you use PDO, then it's simpler to protect yourself (by preparing queries), but not all hosts have PDO.

MDB2 Is also an alternative way of connecting to the DB. This too might have an easy way of preparing queries and avoiding injection.

I don't think that ASP has some sort of automatic protection. PHP is safe, so you shouldn't believe that PHP is not safe. You'll need to protect yourself against injection even if you're using ASP.

Ok, so probably I gonna stick to PHP. So would it be enough if I check every incoming data before using it? As I imagine it would be simple to check fields like name, number, but I have such function I have used in the past to protect my self from everything. I used it for stuff like comments and so on... Where the user might type various characters and combinations (Or I had to write a heavy function that would check it, but this solution look better for me):

Would it protect me from everything?
And... is there any good webpage where I could find a lot of information about hacking PHP web-pages? There are many such web-sites, I gonna read them, but I don't want to miss anything.

P.S. Is it enough just to check all the input? Or Is there any other way people may achieve what they want?

__________________

How to set up portable C++ IDE (Dev-C++)

Writing in C or C++ is like running a chain saw with all the safety guards removed," — Bob Gray.

As far as I can see, that's enough. However, I don't understand why you've got options to escape different types of code. (I presume you're going to select all the options for almost all types of fields).

Also, if you do want to allow HTML, then you might want to consider HTML Purifier.

If you don't want to use HTML, but still want to get basic markup, then try PHP-Markdown (if you are using Markdown, then strip the HTML tags, or use HTML Purifier).

Check if your host has PDO (PHP: PDO - Manual). If it does, then PDO is pretty useful (and easy to learn).

I used Markdown and HTML Purifier in YoungCMS. If you want to take a look at how it was done, then I could give you the source (if it isn't still somewhere on YC)

I don't know any site in particular, but if you look up and read up a little then I'm sure you'll get some useful information.

Best of luck!