Best way to defend against mysql injection and cross site scripting

by

Just doing a lot of stuff that you don’t really understand, is not going to help you. You need to understand what injection attacks are and exactly how and where you should do what.

In bullet points:

  • Disable magic quotes. They are an inadequate solution, and they confuse matters.
  • Never embed strings directly in SQL. Use bound parameters, or escape (using mysql_real_escape_string).
  • Don’t unescape (eg. stripslashes) when you retrieve data from the database.
  • When you embed strings in html (Eg. when you echo), you should default to escape the string (Using htmlentities with ENT_QUOTES).
  • If you need to embed html-strings in html, you must consider the source of the string. If it’s untrusted, you should pipe it through a filter. strip_tags is in theory what you should use, but it’s flawed; Use HtmlPurifier instead.

See also: What’s the best method for sanitizing user input with PHP?

More Related Contents:

  1. xss attack on a php page
  2. How can I prevent SQL injection in PHP?
  3. SQL injection that gets around mysql_real_escape_string()
  4. How can I sanitize user input with PHP?
  5. What are the best practices for avoiding xss attacks in a PHP site [closed]
  6. The ultimate clean/secure function
  7. Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
  8. Examples of SQL Injections through addslashes()?
  9. CodeIgniter – why use xss_clean
  10. How do you set up use HttpOnly cookies in PHP
  11. Is htmlspecialchars enough to prevent an SQL injection on a variable enclosed in single quotes?
  12. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘WHERE `id` [closed]
  13. how to get client’s IP address in sql database [closed]
  14. Combine multiple sql / mysql queries in one query
  15. Cleansing User Passwords
  16. When should I use prepared statements?
  17. Cannot simply use PostgreSQL table name (“relation does not exist”)
  18. SELECT COUNT(*) AS count – How to use this count
  19. Simple PHP Pagination script [closed]
  20. Preventing session hijacking
  21. Use bound parameter multiple times
  22. Are mysql_real_escape_string() and mysql_escape_string() sufficient for app security?
  23. how safe are PDO prepared statements
  24. Hiding true database object ID in url’s
  25. Fatal error: Uncaught exception ‘mysqli_sql_exception’ with message ‘No index used in query/prepared statement’
  26. Codeigniter CSRF – how does it work
  27. I’m getting this error code: Invalid argument supplied for foreach() [duplicate]
  28. Do I have to use mysql_real_escape_string if I bind parameters?
  29. Unique key generation
  30. Is it possible to execute PHP with extension file.php.jpg?

Leave a Comment