I have recently inherited a large website. I have been checking it for security flaws.

I have the following code, which is called when the user submits an update to their user details:

// Ajax request
new Request.JSON({ method: 'get', url: 'ajax.ashx', autoCancel: true, urlEncoded: false, secure: false,
    headers: { "Content-type": "application/json" },
    onSuccess: function (_json) {
        if (!_json.error) {
            $('inp_firstname').value = _json.fn;
            $('inp_surname').value = _json.sn;
            $('usr_Country').value = $(ddlCountry0).getSelected()[0].get('text');
            $('inp_companyname').value = _json.cn;
            $('inp_website').value = _json.ws;
            $('inp_facebook').value = _json.fb;
            $('inp_twitter').value = _json.tw;
            $('bus_Activity').value = $(ddlActivity0).getSelected()[0].get('text');
            $('private_contacts').value = $(chkPrivateContacts).checked;

            hidePopup('editDetailsPopup');
        }
    }
}).get({ 'm': 'editDetailsPro',
    'fn': removeTags($('firstname').value),
    'sn': removeTags($('surname').value),
    'pwd': removeTags($('password').value),
    'country': $(ddlCountry0).getSelected()[0].get('value'),
    'cn': removeTags($('companyname').value),
    'ws': removeTags($('website').value),
    'ac': $(ddlActivity0).getSelected()[0].get('value'),
    'pc': $(chkPrivateContacts).checked == 1,
    'fb': removeTags($('facebooklink').value),
    'tw': removeTags($('twitterlink').value) });

It turns out that the function removeTags(); Doesn’t do anything. There is also no serverside validation of input, so this is a big security hole.

What do I need to check for clientside to make sure that legitimate users can enter their data, and are there library functions that will do all these checks for me (I couldn’t find any)? When it gets to the server, do I turn it back into its original form, or stick it into the database as it is?