Tip: Writing secure code against XSS (cross site scripting) and SQL injection

  • 2 Replies
  • 1976 Views
*

Webhelpforums

  • Administrator
  • Hero Member
  • *****
  • 1406
  • +6/-0
  • Shared between Microsys, WebHelpForums and helpers
    • View Profile
    • Webmaster and Website Help Forums
Just some quick tips in this thread. Feel free to add more tips and suggestions!


Filter incoming data (e.g. submitted in forms) using tight predefined rules, e.g. with regular expressions.
Filter outgoing data (from whatever source) before your server side code, PHP or ASP or whatever, outputs it your visitors browsers.

These things will help you avoid:
SQL injection (where you use submitted non-trust-worthy data and directly inserts it into a dynamicly built SQL query)
XSS cross site scription (where you output-to-browsers data submitted by others... without e.g. checking if it's actually e.g. javascript code doing crazy stuff)


TechSEO360 | MicrosysTools.com  | A1 Sitemap Generator, A1 Website Analyzer etc.

*

BankruptcyRules

  • Newbie
  • *
  • 8
  • +2/-0
  • Fact Discussion
    • View Profile
Whether you are writing a PHP snippet or an entire module, it is important to keep your code secure.
Use check functions on output to prevent cross site scripting attacks


No piece of user-submitted content should ever be placed as-is into HTML.

    * Use check_plain or theme('placeholder') for plain text.
    * Use check_markup or filter_xss for markup containing text.
    * Use the t() function with @ or % placeholders to construct safe, translatable strings.

See how to handle text in a secure fashion for more details.
Use the database abstraction layer to avoid SQL injection attacks

Use the database layer correctly. For example, never concatenate data directly into SQL queries, like this:

<?php
db_query('SELECT foo FROM {table} t WHERE t.name = '. $_GET['user']);
?>
« Last Edit: December 20, 2010, 07:48:11 AM by Webhelpforums »

*

Webhelpforums

  • Administrator
  • Hero Member
  • *****
  • 1406
  • +6/-0
  • Shared between Microsys, WebHelpForums and helpers
    • View Profile
    • Webmaster and Website Help Forums
Great post!

I fixed your signature, so it would become a real URL (bbcode instead of HTML)
TechSEO360 | MicrosysTools.com  | A1 Sitemap Generator, A1 Website Analyzer etc.

 




See Our Webmaster Tools for Windows and Mac

A1 Sitemap Generator
      
A1 Website Analyzer
      
A1 Keyword Research
      
A1 Website Download
      
A1 Website Search Engine
      
A1 Website Scraper