List of characters to be restricted for protection against XSS and SQL Injections?

I have gone throu开发者_StackOverflow社区gh a lot of articles out there to find out a simple list of characters that can restrict a user from inputting for protecting my site against XSS and SQL Injections, but couldn't find any generic list as such.

Can someone help me out by simply giving me a list of safe or unsafe characters in this regard? I know this can be field specific but I need this for text field where I want to allow maximum possible characters.

The "black-list" approach is fraught with problems. For both SQLi and XSS, input validation against a white-list is essential i.e. define what you do expect rather than what you don't expect. Remember also that user input - or "untrusted data" - comes from many places: forms, query strings, headers, ID3 and exif tags etc.

For SQLi, make sure you're always using parametrised SQL statements, usually in the form of stored procedure parameters or any decent ORM. Also apply the "principal of least privilege" and limit the damage the account connecting to your database can do. More on SQLi here: http://www.troyhunt.com/2010/05/owasp-top-10-for-net-developers-part-1.html

On the XSS front, always encode your output and make sure you're encoding it for the appropriate markup language it appears in. Output encoding for JavaScript is different to HTML which is different to CSS. Remember to encode not just responses which immediately reflect input, but also untrusted data stored in the database which could hold a persistent XSS threat. More on all this here: http://www.troyhunt.com/2010/05/owasp-top-10-for-net-developers-part-2.html

I know this goes a bit beyond your original question, but the point I'm trying to make is that allowable characters is but one small part of the picture. The other practices mentioned above are arguably more important (but you should still use those white-lists as well).

Character filtering is not how you should go about security. To prevent SQL injection, use prepared statements. To prevent XSS you should escape all user input properly

Look at the implementation of xss filtering of Drupal CMS. The function has white list containing allowed HTML tags, all other stuff will be escaped.