Secure user input

[NewVoxel]

Hello everyone. I'm working on a new website and need a secure way to get input from the users. I made the mistake last time of not thoroughly validating the users input and plenty of XSS ensured. Is there a catchall function somewhere that works well for sanitizing user input for sql injection and XSS attacks, while still allowing certain types of html tags, or would I just be better off spending the extra time to create something like the BBCode that's found on these forums?

[0phidian]

Code: Select all

htmlentities()
mysql_real_escape_string()


Those functions should work for preventing XSS and SQL injection. You may also want to impliment more security based on whatever your doing. Here's a link to some basic php security tutorials.
http://www.youtube.com/course?list=EC5F8BFE541D972472

[NewVoxel]

Cheers, that looks like a better solution than the strip_tags() function I've been using. I have most of the stuff in the video tutorials down pat, but the session hijacking was pretty cool; I had no idea it was that easy to gain control of an admin account. I'm trying to get my site up and running by the end of the month http://www.newvoxel.com/ and I'll probably get this site to pen-test it as I'm sure there will be heaps of stuff that I've missed. GET EXCITED!