What steps should I take to guard my site from script injection?

Greetings Everyone

Being a newbie to javascript attacks and all other sort of attack prevention and care, I would like some input as to how I can make my website more secure to attacks.

We are开发者_如何学Python launching a new website which is in Arabic (utf8). There is an input box on our website that takes a search string from users and displays this string with the results. Also this string is inserted into our mysql database to keep track of what people are searching for.

What I've done on the backend is put strip_tags , mysql_real_escape_string on the search string. I tried using javascript's escape function on the input search string but this totally messes up the arabic text and can't use this string to search in the backend or even display searched string in the front end. Is there anything more I can do on the front end or the back end to make website more secure from attacks?

Thanking You Imran

I would strongly advise against doing any sort of escaping on the client-side. You can't rely on the fact that the escaping actually happens, both because malicious users could modify the script on their end to bypass the escaping and because older browsers (or browsers with script blockers) might end up preventing the script from running. As a general rule, never trust any data that comes from the client, even if you've made an effort to sanitize it on the client end.

What you're doing on the server end seems well-intentioned. Without more access to the code I don't think we can confirm that you're using those functions correctly, but you're at least on the right track for using them.

Best of luck with the site, by the way!

You can avoid the problem by changing the design.
Leave the input box untouched, and do not give back the search string in the result.

For the list that you store in your DB, as long as you do not show it to a user in a web page there is no risk for script injection.