I am trying to secure my site so I'm not vulnerable to sql injection or xss.
Here's my code:
//here's the form (abbreviated)
<form>
<label for="first_name" class="styled">First Name:</label>
<input type="text" id="first_name" name="first_name" value="<?php if (!empty($first_name)) echo $first_name; ?>" /><br />
//submit button etc
</form>
if (isset($_POST['submit'])) {
//gets rid of extra whitesapce and escapes
$first_name = mysqli_real_escape_string($dbc, trim($_POST['first_name']));
//check if $first_name is a string
if(!is_string($first_name)
{
echo "not string";
}
//then insert into the database.
.......
}
mysqli_real_escape_string
: I know that this function escapes certain letters like
, so when the data gets inputted into the dbc, would it have '\' next to all the escaped letters?
Will this script be enough to prevent most sql injection? just escaping and checking if the data is a string. For integers values(like users putting in prices), i just:
is_numeric()
.How should I use
htmlspecialchars
? Should I use it only when echoing and displaying user data? Or should I also use this when inserting data to a database?When should I use
strip_tags
orhtmlspecialchars
?
So with all these functions:
if (isset($_POST['submit'])) {
//gets rid of extra whitesapce and escapes
$first_name = mysqli_real_escape_string($dbc, trim($_POST['first_name']));
//check if $first_name is a string
if(!is_string($first_name)
{
echo "not string";
}
//gets rid of any <,>,&
htmlspecialchars($first_name);
//strips any tags with the first name
strip_tags($first_name)
//then insert into the database.
.......
}
Which functions should I use for sql injection and which ones should I use for xss?
When can a user insert xss scripts against me? When there is a form?