问题
If my site ever goes live (don't think it will, its just a learning exercise at the moment).
I've been using mysql_real_escape_string(); on data from POST, SERVER and GET. Also, I've been using intval(); on strings that must only be numbers.
I think this covers me from sql injection? Correct? Can i do more?
But, I'm not sure how it provides (if it provides any protection at all) from XSS injection?
Any more information on how to combat these two forms of attacks is appreciated.
回答1:
I think this covers me from sql injection? Correct?
No. It makes a terrible mess of your data.
Can i do more?
Yes. You can protect your code from SQL injections.
Here is a brief explanation I've made already
Only I have to add that you should not spoil your source data arrays.
POST array has noting to do with SQL. The data may go into email, an HTML form, a file, online service, etc. Why treat it all with SQL protection?
On the other hand, you may take your data not from POST but from a file, online service, other query.
So, you have to protect not source arrays, but actual data that goes into query
Speaking of XSS, there are no simple universal rule again.
But in general, you have to use htmlspecialchars($data,ENT_QUOTES); for the every untrusted data you output as a text, and some other kinds of validations in some special cases, like filenames
回答2:
Used hard coded prepared queries
来源:https://stackoverflow.com/questions/3486740/what-more-can-i-do-to-prevent-myself-from-xss-injection-sql-injection