Can I protect my site excluding XSS and Sql injection?

Question

Can I protect my site excluding XSS and Sql injection?

So, members of my site can post topics, reply, comment, edit them, etc. I always use htmlspecialcharsand addslashesfor html inputs to protect my website against XSS and SQL injection attacks. Is there enough or is there something else that I missed?
Thank.

+5

security php mysql sql-injection xss

good_evening Jun 2 '10 at 15:57

source share

6 answers

(. PDO), SQL-. htmlspecialchars() XSS.

:

http://phpsec.org/projects/guide/

http://cwe.mitre.org/top25/#Listing

http://www.owasp.org/index.php/Top_10_2010-Main

+6

TheMagician 02 . '10 16:19

SQL- escape, , , PostGreSQL pg_escape_string, , . mysql_real_escape_string.

+2

Justin Ethier 02 . '10 16:00

mysql_real_escape_string() SQL, addlashes. (, MySQL)

+2

baloo 02 . '10 16:01

. PDO , mysql_real_espace_string.

, , , htmlentities.

0

ggfan 02 . '10 16:49

SQL-:

addlashes mysql_real_escape_string . . . , - .
. / . ( - script)

XSS:

Do not allow users to use HTML.
To prevent this, you can use both strip_tags()(without permitted tags) and htmlspecialchars().
If you want to allow some markup, consider using BB code.

CSRF:

Any significant form must contain a unique token, which should be compared with the one stored in the session.

0

Your common sense Jun 2 '10 at 17:04

source share

rook · Accepted Answer · 2010-06-02T18:50:21+0000

A lot of things can go wrong in a web application. In addition to XSS and SQLi, there are:

CSRF - Cross-Site Request Forgery
LFI / RFI - local file inclusion / remote file called include(), require()...
Enabling CRLF in mail()
. , register_globals, extract(), import_request_variables()
: fopen(), file_get_contents(), file_put_conents()
eval() preg_replace() /e
passthru(), exec(), system() ``

" " , OWASP Top 10, - .

Scarlet - , , .

, Wordpress. CWE, , -.

Can I protect my site excluding XSS and Sql injection?

SQL-:

XSS:

CSRF:

More articles: