Secure user input

General technological topics without their own forum go here

Secure user input

Post by NewVoxel on Tue Oct 16, 2012 8:56 am
([msg=70178]see Secure user input[/msg])

Hello everyone. I'm working on a new website and need a secure way to get input from the users. I made the mistake last time of not thoroughly validating the users input and plenty of XSS ensured. Is there a catchall function somewhere that works well for sanitizing user input for sql injection and XSS attacks, while still allowing certain types of html tags, or would I just be better off spending the extra time to create something like the BBCode that's found on these forums?
"Don't include a single line in your code which you could not explain to your grandmother in a matter of two minutes."

And of course... assume your grandmother is not Ada Lovelace.

http://www.newvoxel.com/
User avatar
NewVoxel
New User
New User
 
Posts: 45
Joined: Tue Oct 16, 2012 8:37 am
Blog: View Blog (0)


Re: Secure user input

Post by 0phidian on Tue Oct 16, 2012 12:25 pm
([msg=70184]see Re: Secure user input[/msg])

Code: Select all
htmlentities()
mysql_real_escape_string()


Those functions should work for preventing XSS and SQL injection. You may also want to impliment more security based on whatever your doing. Here's a link to some basic php security tutorials.
http://www.youtube.com/course?list=EC5F8BFE541D972472
User avatar
0phidian
Poster
Poster
 
Posts: 270
Joined: Sat Jun 16, 2012 7:04 pm
Blog: View Blog (0)


Re: Secure user input

Post by NewVoxel on Wed Oct 17, 2012 12:40 am
([msg=70192]see Re: Secure user input[/msg])

Cheers, that looks like a better solution than the strip_tags() function I've been using. I have most of the stuff in the video tutorials down pat, but the session hijacking was pretty cool; I had no idea it was that easy to gain control of an admin account. I'm trying to get my site up and running by the end of the month http://www.newvoxel.com/ and I'll probably get this site to pen-test it as I'm sure there will be heaps of stuff that I've missed. GET EXCITED!
"Don't include a single line in your code which you could not explain to your grandmother in a matter of two minutes."

And of course... assume your grandmother is not Ada Lovelace.

http://www.newvoxel.com/
User avatar
NewVoxel
New User
New User
 
Posts: 45
Joined: Tue Oct 16, 2012 8:37 am
Blog: View Blog (0)



Return to General

Who is online

Users browsing this forum: No registered users and 0 guests

cron