So i've got a website that given a customers input it'll produce a /home/content/s/a/m/p/l/e/customers/profile/index.php. My question for you is is safe? This is exactly what i actually do to try and sanitize the customers input, if there's more, please tell me.

strip_tags(html_entity_decode($mysqli->real_escape_string($title)), ALLOWED_TAGS);
ALLOWED_TAGS = "<br><p><b><i><hr>";

Since i have am relatively recent for this web development, i'm wondering if this is an excellent approach, since it takes the stress off while using database to obtain the same information again and again again, rather simply have a static page using the info on it, or perhaps is mtss is a HUGE security hole? I don't know! :) I don't determine if they might perform some kind of XSS attack using what i've setup here. help!


P.S. For those who have any solutions or suggestions, would you please produce some understanding of why it's. I've got a degree in computer science and so i am curious on how it operates, not only the fast and dirty solution. Thanks.

This XSS input validation is awful. An html_entity_decode() may be the complete opposite of the thing you need. Additionally a few of these tags, like the <p> tag permit you to execute JavaScript within an event handler. So in a nutshell this code does not do shit to prevent xss.

You need to use htmlspecialchars($var,ENT_QUOTES); or htmlpurifer. Should you go the htmlpurifer route make certain you retain that shit current, it will get side stepped every few days, oah and htmlpurifer very computationally costly since it uses 1000's of regex's.

This can be a PHP security record I put together for my company's internal knowledgebase. Might be it will help.

  • Don't use deprecated functions and practices
  • Always validate user input
  • Use place holders when utilizing variable values within an SQL query.
  • Always escape variables utilized in SQL queries.
  • Set proper directory permissions
  • Always regenerate session id once the user logs in every time. (To prevent session id hijacking)
  • Never store passwords in plain text. Store only their hashed values.
  • When outputting user input inside a web site, check for html special figures. (HTML tags like might be employed for XSS attacks)
  • Be aware of specs of the deployment server before you decide to proceed to it
  • Safeguard sites where log records are saved.
  • Set register_globals to off
  • PHP safe mode could be helpful, but it's deprecated since version 5.3
  • Otherwise utilized in the code, disable the functions system and professional while using disable_functions establishing php.ini
  • Set display_errors to off being producedOrreside servers.
  • Validate Cookie Data