tags:

views:

297

answers:

3
+1  Q: 

Script injection - form validation (jquery)

I use several forms on my site to send data to MySQL.

Which is the best way / method to validate my form, if I don't want to users send any script to the database through my forms?

+2  A: 

Forget about jQuery. You can't use anything running on the client to make things safe — the client can always override it.

You need to deal with the data on the server. See http://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php to protect your database and http://stackoverflow.com/questions/71328/what-are-the-best-practices-for-avoid-xss-attacks-in-a-php-site to protect your pages.

David Dorward  2009-11-01 16:12:13
thank you. i try to learn this..
Holian  2009-11-01 17:25:54
A: 

Is this ever a loaded question... and covers more than can fit in one answer.

If you have to ask a question in the general terms you did, I'd highly recommend finding a mentor to help you as this is not a topic you really want to learn-by-doing.

Several, similar questions have been asked and I highly encourage you to seek them out and read them. Also, seek out some quality blog posts on this and/or a community centered around a particular product that is similar to the one you are building to see how they did it.

Some tips in the meantime:

  • I noticed the jquery tag... JavaScript validation should be the 2nd thing you look at and more as a means of providing immediate feedback for the user. Because it can be turned off at the client side you cannot rely on any JavaScript validation being done.
  • Strictly check data types on the server. If you're supposed to be getting a number back, make sure it is really a number. If its one of a handful of options, check and only accept the available options.
  • Do not just accept data from a form control - even if its a select box or a hidden field. People will play silly buggers with your form data and you just cannot rely on getting back what you think you'll get back.
AnonJr  2009-11-01 16:12:53
A: 

To prevent SQL injection, use prepared statements. To prevent HTML injection, check out htmlspecialchars, htmlentities, strip_tags and the filter functions, or use a 3rd party library to strip all but whitelisted tags & attributes.

outis  2009-11-01 16:39:19

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?