Which Type of Input is Least Vulnerable to Attack?

Question

Which type of input is least vulnerable to Cross-Site Scripting (XSS) and SQL Injection attacks.

PHP, HTML, BBCode, etc. I need to know for a forum I'm helping a friend set up.

Answer 1

We need to know more about your situation. Vulnerable how? Some things you should always do:

• Escape strings before storing them in a database to guard against SQL injections
• HTML encode strings when printing them back to the user from an unknown source, to prevent malicious html/javascript

I would never execute php provided by a user. BBCode/UBBCode are fine, because they are converted to semantically correct html, though you may want to look into XSS vulnerabilities related to malformed image tags. If you allow HTML input, you can whitelist certain elements, but this will be a complicated approach that is prone to errors. So, given all of the preceding, I would say that using a good off-the-shelf BBCode library would be your best bet.

Answer 2

(I just posted this in a comment, but it seems a few people are under the impression that select lists, radio buttons, etc don't need to be sanitized.)

Don't count on radio buttons being secure. You should still sanitize the data on the server. People could create an html page on their local machine, and make a text box with the same name as your radio button, and have that data get posted back.

A more advanced user could use a proxy like WebScarab, and just tweak the parameters as they are posted back to the server.

A good rule of thumb is to always use parameterized SQL statements, and always escape user-generated data before putting it into the HTML.

Answer 3

None of them are. All data that is expected at the server can be manipulated by those with the knowledge and motivation. The browser and form that you expect people to be using is only one of several valid ways to submit data to your server/script.

Please familiarize yourself with the topic of XSS and related issues

• http://shiflett.org/articles/input-filtering
• http://shiflett.org/blog/2007/mar/allowing-html-and-preventing-xss

Answer 4

Any kind of boolean.

You can even filter invalid input quite easily.

;-)

Answer 5

There's lots of BB code parsers that sanitize input for HTML and so on. If there's not one available as a package, then you could look at one of the open source forum software packages for guidance.

BB code makes sense as it's the "standard" for forums.

Answer 6

The input that is the least vulnerable to attack is the "non-input".

Are you asking the right question?

Answer 7

For Odin's sake, please don't sanitize inputs. Don't be afraid of users entering whatever they want into your forms.

User input is not inherently unsafe. The accepted answer leads to those kinds of web interfaces like my bank's, where Mr. O'Reilly cannot open an account, because he has an illegal character in his name. What is unsafe is always how you use the user input.

The correct way to avoid SQL injections is to use prepared statements. If your database abstraction layer doesn't let you use those, use the correct escaping functions rigorously (myslq_escape et al). The correct way to prevent XSS attacks is never something like striptags(). Escape everything - in PHP, something like htmlentities() is what you're looking for, but it depends on whether you are outputing the string as part of HTML text, an HTML attribute, or inside of Javascript, etc. Use the right tool for the right context. And NEVER just print the user's input directly to the page.

Finally, have a look at the Top 10 vulnerabilities of web applications, and do the right thing to prevent them. http://www.applicure.com/blog/owasp-top-10-2010