Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I want to make sure rogue users can’t damage my site or database by inserting code in my input fields.
What kind of code should I use to test it?
I know there are html tags like iframe but I don’t know what to put inside to test it.
Thanks.
HTML
I think using
htmlspecialchars(doc) (It’s a function in PHP but other language may has similar function) or using other markup system(?)s like phpBB and MediaWiki would be work. Using HTML tags by black/whitelisting tags can work but it’s quite dangerous – a cracker would harm your site by XSSing.For example, you may think that only allowing
p,br,img,font,ais OK (BTW, it’s not good to usefontwhen one can use CSS), but XSS can be done by input<img src="asdf" onerror="alert('hi')"/>or<a href="javascript:alert('hi')">.SQL
You should aware of SQLi – injecting SQL commands.
An example of SQLi is :
A way to avoid being SQLi’d in PHP is using
mysql_real_escape_string(doc).