I found a lot of information about sanitizing, filtering, and validating forms when it comes to simple inputs like email, phone numbers, addresses, etc.
But the security of your application is as strong as your weakest link. What if your form also includes a large text field, say that you want your users to be able to write flexible, html-readable posts?
For example, this text box on StackOverflow allows you to format text, include links, images, etc., when you ask a question or send an answer. The stack overflow takes user inputs, puts them into its database, and then displays them on the Internet: pictures, links, etc. This means that they must allow html tags, special characters, etc. How are they and how can I make sure that there is no malicious content in my database?
To get specific information, here is the security implementation that I added to my web application:
- Prepared PDO reports when working with dynamic database inputs
- Limit access to the database of my site for users with less privileges (so if someone gets control, they can update, insert or select)
- Client-side validation (practically useless in this context, it is just for the convenience of users)
- Using POST, not GET
- Error error_display is disabled, so attackers cannot investigate
I know that it is best to filter and check POST [] using server side validation, but this will limit my users. For example, filtering all html tags will disable links, images and formatting. Same issue with output filtering with htmlentities. Maybe there is a more subtle way to do this?
What else can I do to provide this?
I have to add: The moderation process will be performed before any output is displayed. Each user post will have a pair of eyes looking at it before it is allowed to be posted on the website. This concerns output filtering, but input filtering is still a problem.
html security php validation pdo
Kev
source share