Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
If my site ever goes live (don’t think it will, its just a learning exercise at the moment).
I’ve been using mysql_real_escape_string(); on data from POST, SERVER and GET.
Also, I’ve been using intval(); on strings that must only be numbers.
I think this covers me from sql injection? Correct? Can i do more?
But, I’m not sure how it provides (if it provides any protection at all) from XSS injection?
Any more information on how to combat these two forms of attacks is appreciated.
No. It makes a terrible mess of your data.
Yes. You can protect your code from SQL injections.
Here is a brief explanation I’ve made already
Only I have to add that you should not spoil your source data arrays.
POST array has noting to do with SQL. The data may go into email, an HTML form, a file, online service, etc. Why treat it all with SQL protection?
On the other hand, you may take your data not from POST but from a file, online service, other query.
So, you have to protect not source arrays, but actual data that goes into query
Speaking of XSS, there are no simple universal rule again.
But in general, you have to use
htmlspecialchars($data,ENT_QUOTES);for the every untrusted data you output as a text, and some other kinds of validations in some special cases, like filenames