When I validate inputs I'm converting characters, including quotes, to their HTML entities. When putting them into a database I am using PDO prepared statements and passing the variables into the execute method.
Is this enough to stop SQLi and XSS attacks?
Also, on another note, what's the best way to allow hotlinked images? Because they contain slashes etc. I was thinking about checking the images to see if the contain valid headers.
Thanks
htmlentities() may be sufficient or may be not - depending on where you insert the parameter.
E.g.
$p = 'javascript:alert(document.URL)';
echo '<a href="', htmlentities($p), '">';
prints
<a href="javascript:alert(document.URL)">
and didn't prevent the javascript injection.
And even if htmlentities() is the right function to use you have to apply it "the right way", see http://shiflett.org/blog/2005/dec/google-xss-example
More specifically, bound parameters prevent sql injection (a prepared statement where you inject user input directly into the SQL stream is insufficient, user input needs to be a bound parameter)
htmlentities (or htmlspecialchars) are enough to prevent XSS in most cases (there are still some corner cases such as if you're putting user input into a <script> context, including an onsomething event handler). These functions prevent the user from being able to enter their own script context.
I would highly recommend to not convert characters to their entities. Use unicode for your tables and you can store any character. Furthermore you can easily search for values in the database without any false results. E.g. searching for "uml" would also return every string with any german umlaut e.g. ΓΌ in the string which you have to filter with PHP afterwards.
You might just filter any tags using strip_tags() or just remove <script> tags with a regex before inserting the data.
