I am not a professional web developer but I love web development as a hobby..
I am a student and I was asked to make a departmental event web site. I need to create HTML forms for user registration. I am aware of XSS Scripting attack and SQL Injection. But don’t know how they exactly work. I am using PHP and MySQL on server side.
I am taking in consideration:
- Not to take empty values.
- Verify that a number field is composed of integer values only.
- Email ID verification. etc..
All this I am doing using RegEx check – both with javascript and PHP
Now my questions are:
- What are all characters which I should not allow into my database?
- Will it be okay if I convert < and > with their
<and>alternatives? - What else should I consider while taking the input?
I don’t want to restrict users from inputting symbols which are harmless. So is there any particular set of character which I need to filter before storing the values into the database, so I can properly write regex checks for my form fields?
I have searched in google but was not able to find a proper answer. 🙁
To prevent SQL injection, you should use the language’s escape function. For PHP, that’s
mysql_real_escape_string. Or, better yet, use PDO to restrict what users can put into the DB.The HTML injection/XSS attack is different; you can store raw HTML in the database without issue, but before displaying any HTML originating with the user, call
htmlspecialcharacterson it to prevent it from being interpreted by the client’s web browser.Do not code your own custom checks. You will miss something.