lostprophetpunk Posted September 18, 2009 Share Posted September 18, 2009 What is the best way to prevent from XSS, SQL Injections and other forms of attacks when having forms in your PHP application? I have always gone with the mysql_real_escape_string() and the htmlentities() for the SQL and XSS attacks... It's just that I want to know the ways of fully (well, there will always be a way to get through it) sanatize your data input without the use of a database... ...and also the ways of fully sanatizing your input data with the use of a database. If anyone could please shed some deeper detail on this, it would be great. Quote Link to comment https://forums.phpfreaks.com/topic/174736-security/ Share on other sites More sharing options...
RussellReal Posted September 18, 2009 Share Posted September 18, 2009 thats about all you really CAN do I think lol Quote Link to comment https://forums.phpfreaks.com/topic/174736-security/#findComment-920938 Share on other sites More sharing options...
abazoskib Posted September 19, 2009 Share Posted September 19, 2009 do client side validation with JavaScript(for those who enable it) and then server side with the way you described it. you can also have a seperate mysql user account with specific grants for different forms. a login form would only need the select feature, and a registration form select/insert. in other words, don't allow delete permission when not needed. some would argue that grants slow down your database execution times, but for a webapp i believe it to be a necessity. Quote Link to comment https://forums.phpfreaks.com/topic/174736-security/#findComment-921062 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.