XSS form security

Question

Is there a generic way to prevent XSS on a form?

Is we consider the basic sample code below...

HTML:

<form action="test.php" method="POST">
 <input type="text" name="test">
</form>

PHP:

function new_test($test) {
    array_walk($test, 'array_sanitise');

    $fields = '`' . implode('`, `', array_keys($test)) . '`';
    $data = '\'' . implode('\', \'', $test) . '\'';

    $query = mysql_query("INSERT INTO `test` ($fields) VALUES ($data)");
    if (!$query) {
       die('Could not query:' . mysql_error());
    }
}

$test = array(
  'test'     => $_POST['test']
);

new_test($test);

Is this enough to protect from SQL injections & XSS breaches? Is there a better way to do it? Or is there no generic way?

Answer 1

1. Against SQL injection you should escape everything user input used in sql queries. Or use prepared statements/bind variables. Escaping: http://uk1.php.net/mysqli.real-escape-string.php, PDO: http://php.net/manual/en/ref.pdo-mysql.php
2. Against XSS, you have to escape what you display to your client. But this depends on what and where you display. You have to use different escaping in html
   • between tags,
   • in tag attributes
   • in css
   • in javascript
   • ...

You can read more about the different methods of XSS here: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

I see you used only array_sanitise whose code isn't added to the question, so it is hard to say what is it. But based on its usage it seems to be some kind of SQL escaping, so hopefully it helps to defend against SQL injections. Hopefully.