0

For example, let's say I have a website that receives and displays user comments (text). I am concerned with vulnerabilities from receiving user submissions and also when the submissions are displayed.

Concerns:

  • Cross-site scripting attack

  • SQL injection

My question is are there more attacks that could come from user text inputs? Also, in what ways can I guard against such attacks using PHP, Javascript?

Thanks, and merry Xmas!

whamsicore
  • 8,320
  • 9
  • 40
  • 50
  • 1
    Possible duplicate: [XSS filtering function in PHP](http://stackoverflow.com/questions/1336776/xss-filtering-function-in-php) – Kevin Ji Dec 25 '11 at 02:32
  • possible duplicate of [What's the best method for sanitizing user input with PHP?](http://stackoverflow.com/questions/129677/whats-the-best-method-for-sanitizing-user-input-with-php) – rook Dec 25 '11 at 02:46
  • Possible duplicate of [What's the best method for sanitizing user input with PHP?](http://stackoverflow.com/questions/129677/whats-the-best-method-for-sanitizing-user-input-with-php) – Oleg V. Volkov Mar 07 '17 at 21:29

4 Answers4

1

JavaScript is not a barrier from XSS, CSRF attacks, so you should care about server side protection. If you talk about functions then these will help you from XSS: htmlentities(), strip_tags(), utf8_decode(); and as Zar said mysql_real_escape_string will help you from SQL injection. There are a lot of articles devoted to SQL injections, XSS, CSRF, sessions hijacking. Go to http://phpsec.org/projects/guide/ and read it all.

moriesta
  • 1,170
  • 4
  • 19
  • 38
0

You can use strip_tags($var) to guard yourself against XSS.

mysql_real_escape_string($var) will give you basic SQL injection protection.

Zar
  • 6,786
  • 8
  • 54
  • 76
  • Of course, it's preferable to use prepared statements and PDO instead of `mysql_real_escape_string`. – Kevin Ji Dec 25 '11 at 02:35
  • strip_tags() is a really shitty function for preventing xss, and paramaterized queries is the best way to stop sqli. – rook Dec 25 '11 at 02:45
0

Have a look at php Filter Library, which made to clean and validate different types of data, from boolean to email addresses, functions like filter_input and filter_input_array could make your application more secure and smart.

Nazariy
  • 6,028
  • 5
  • 37
  • 61
-2

If you are using ajax to send some form data to the server as part of url, encode them like this

encodeURIComponent(yourFormInputData);

and remember to decode them on the server side.

Chibuzo
  • 6,112
  • 3
  • 29
  • 51