What else do you think would be a great tool to prevent form injection, URL injection, or any other kind of injection?
Not too specific to the code, just the big picture.
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
What else do you think would be a great tool to prevent form injection, URL injection, or any other kind of injection?
Not too specific to the code, just the big picture.
filter your input / validate your output
That’s it. For avoiding script injections, or any other kind of Cross-site Scripting, you need to ensure that any character displayed on the webpage as part of text is not any of the 5 special html characters. Use
htmlspecialcharsto encode them to their equivalent html entities (which are displayed normally, but not processed by the html engine):For SQL injection, the principle is the same, avoid special SQL characters in your queries, by using
mysql_real_escape_string,mysqli_real_escape_string,pg_escape_string,PHP Data Objects (PDO)or prepared statements.To avoid shell commands injection, you need to avoid another set of characters. Use
escapeshellcmdandescapeshellarg.And for other mediums, other characters are involved, and other functions needed. As someone said in a comment, there is no silver bullet.