Which type of input is least vulnerable to Cross-Site Scripting (XSS) and SQL Injection attacks.
PHP, HTML, BBCode, etc. I need to know for a forum I'm helping a friend set up.
+3
A:
We need to know more about your situation. Vulnerable how? Some things you should always do:
- Escape strings before storing them in a database to guard against SQL injections
- HTML encode strings when printing them back to the user from an unknown source, to prevent malicious html/javascript
I would never execute php provided by a user. BBCode/UBBCode are fine, because they are converted to semantically correct html, though you may want to look into XSS vulnerabilities related to malformed image tags. If you allow HTML input, you can whitelist certain elements, but this will be a complicated approach that is prone to errors. So, given all of the preceding, I would say that using a good off-the-shelf BBCode library would be your best bet.
Chris Marasti-Georg
2008-10-01 18:48:35
Please don't escape strings to protect against SQL injections. Use prepared statements with placeholders.
Andy Lester
2008-10-16 22:35:18
+1
A:
There's lots of BB code parsers that sanitize input for HTML and so on. If there's not one available as a package, then you could look at one of the open source forum software packages for guidance.
BB code makes sense as it's the "standard" for forums.
mabwi
2008-10-01 18:51:30
I just want to note that it's important that BBCode itself is not a solution - it's the parser that would prevent XSS and SQL injection. The fact that the rich text functionality is handled by BBCode markup is completely irrelevant.
Peter Bailey
2008-10-01 19:55:33
A:
The input that is the least vulnerable to attack is the "non-input".
Are you asking the right question?
Chris Lively
2008-10-01 19:02:03
+2
A:
Any kind of boolean.
You can even filter invalid input quite easily.
;-)
Xqj37
2008-10-01 19:08:12
if(input != Bool.FileNotFound) //It's safe. http://thedailywtf.com/Articles/What_Is_Truth_0x3f_.aspx
Chris Marasti-Georg
2008-10-01 19:13:18
+2
A:
None of them are. All data that is expected at the server can be manipulated by those with the knowledge and motivation. The browser and form that you expect people to be using is only one of several valid ways to submit data to your server/script.
Please familiarize yourself with the topic of XSS and related issues
Peter Bailey
2008-10-01 19:16:22
+4
A:
(I just posted this in a comment, but it seems a few people are under the impression that select lists, radio buttons, etc don't need to be sanitized.)
Don't count on radio buttons being secure. You should still sanitize the data on the server. People could create an html page on their local machine, and make a text box with the same name as your radio button, and have that data get posted back.
A more advanced user could use a proxy like WebScarab, and just tweak the parameters as they are posted back to the server.
A good rule of thumb is to always use parameterized SQL statements, and always escape user-generated data before putting it into the HTML.
pkaeding
2008-10-01 19:20:52
In Opera you can also edit the HTML or JS of a page therefore changing anything the user added to prevent you from doing something. Very cool for testing purposes, but makes it easy to mess with things.
Darryl Hein
2008-10-02 01:35:42