Question
I need to write a report on ways to protect against SQL injection and XSS and what ways the security in a website I created could be improved.
On my website I used jquery's jTable to display data from a MySQL database.
Inputs for new entries into the db are sanitised using mysql_real_escape_string:
https://stackoverflow.com/questions/21164095
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian$fieldName = mysql_real_escape_string($_POST["fieldName"]);
(although in my report I have suggested that using prepared satements is a better option and why)
Outputs are displayed using:
print json_encode($jTableResult);
When testing my website I realised that although I had made it harder for SQL injection I could still save HTML and javascript code into the db which would then execute when displayed to the browser. As I didnt know how to solve this I just added the strip_tags function on user inputs:
$fieldName = mysql_real_escape_string(strip_tags($_POST["fieldName"]));
Now that I need to produce this report I want to state the correct way this should have been done and what I could of improved.
So my question... How do you escape outputs in arrays?
Hope this makes sense
Solution
You can use htmlspecialchars to output html as plain text: http://www.w3schools.com/php/func_string_htmlspecialchars.asp
strip_tags removes the tags, unless you specify specific tags that can be shown in the output.
Mysql_real_escape_string is used to escape characters for SQL input.. http://www.w3schools.com/php/func_mysql_real_escape_string.asp
However, have a look into Mysqli or PDO and prepared statements to enhance your security. Mysql is depricated.
