Protecting against XSS and SQL Injection at the same time can be a very complicated task and potentially with many mouse grabs that only someone with DOM and SQL expertise can have idea of the risk. Against Sqli, the documentation is plenty, but think of the following situations where javascript can be executed:
Properties like onload, onclick, onblur (...) allow you to execute javascript
< img src="foo.gif" onload="Alert('XSS!')"/>
Urls can run javascript prefixed "javascript:"
< a href="javascript:Alert('XSS');">Ola Mundo< /a>
I recommend reading the document https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet. There are hundreds of ways, even when using a filter against Sqli, to save in the database a string that will be an XSS problem when viewed.
What to do?
The simplest way to make sure you avoid Sqli and XSS at the same time is, in addition to using well-known native functions against Sqli, and make an aggressive filter. If a field only accepts integer, remove all that is not number. If it is letters and numbers, filter to just that. And, more importantly, avoid accepting HTML in a user input.
If you really have to accept HTML, you should either use a ready-made library that removes all Javascript references from the code, or make a white list of which tags are allowed and which tag properties are allowed, which is not trivial.
About sql Injection and xss
– rray
http://xkcd.com/327/
– Guilherme Bernal
Possible duplicate of this: http://answall.com/questions/3864/comor- prevenir-injecao-de-codigo-sql-no-meu-codigo-php
– Bacco
@missed the question is different, I put 2 questions at the end that are not answered in the topic mentioned.
– Filipe Moraes
@Bacco the question is different, I put 2 questions at the end that are not answered in the topic mentioned.
– Filipe Moraes