Posted by Harold Crump on 07/04/06 15:43

Greetings,

I have a fairly vanilla PHP web application that stores and retrieves
data in a MySQL database.
Users will be adding a lot of special characters such as single and
double quotes, accented French characters, etc.

I want to eliminate any potential for XSS or SQL injection attacks.

My question - is it enough to pass all user input through the
htmlentities() function call and store the resultant output?

When displaying database fields back on the page, the browser should
automatically take care of converting the HTML characters.

Am I missing something?
What else do I need to do for making my app immune to XSS and injection
attacks?

Also, I would like to replace all semi-colons in input with something
else - but I am not sure what and how.

All ideas and suggestions welcome - as you can tell I am new to this.

Thanks,
Harold.

[Back to original message]