I need to write a report on ways to protect against SQL injection and XSS and what ways the security in a website I created could be improved.
On my website I used jquery's jTable to display data from a MySQL database.
Inputs for new entries into the db are sanitised using mysql_real_escape_string:
$fieldName = mysql_real_escape_string($_POST["fieldName"]);
(although in my report I have suggested that using prepared satements is a better option and why)
Outputs are displayed using:
print json_encode($jTableResult);
When testing my website I realised that although I had made it harder for SQL injection I could still save HTML and javascript code into the db which would then execute when displayed to the browser. As I didnt know how to solve this I just added the strip_tags function on user inputs:
$fieldName = mysql_real_escape_string(strip_tags($_POST["fieldName"]));
Now that I need to produce this report I want to state the correct way this should have been done and what I could of improved.
So my question... How do you escape outputs in arrays?
Hope this makes sense