So I'm building a PHP Web app and I need to make sure it's secure from XSS and CSRF. I have looked at articles and I know the methods to prevent these attacks. Like using htmlspecialchars or htmlentites for XSS And for CSRF I need to use the random token method. However I'm not sure when to use which.
Do I create a method that uses htmlspecialchars and wrap it around every variable I want to print that a user has entered ? Most of the data in the Web app is stored into a database. I use prepared statements to do this, but do I still have to sanitize the input?
For CSRF is it necessary to generate a new token after every refresh or form submit or would one per session be okay.
