Web site: a user inputs text into a field - what do I have to watch out for?

Could somebody give me a lis开发者_运维知识库t of things I need to watch out for this situation? So far I've only heard of SQL injection and special characters.

What else is out there, and what preventative measures do I need to take? To be a bit more specific, I'm using AJAX with PHP as my server-side language, and MySQL as my database system.

Thanks.

First, talking with the database:

You need to pass input to the database using a mechanism that will prevent SQL injection attacks; the most reliable mechanism is to always use parameterized queries whenever accepting any kind of user-supplied input.

Second, returning data to the user:

Whenever you retrieve user-supplied data from the database and print it to the user, you must escape all HTML elements to prevent the user from injecting CSRF, XSS or similar attacks to other viewers.

A user inputs text into a field - what do I have to watch out for?

Absolutely nothing! There is no problem to accept any and all information from user input.

The problem is what you do with that input. Some ideas:

1. Concatenating user input to form SQL queries can lead to SQL injection.
2. Applying user input to fixed length buffers can lead to buffer overflows.
3. Posting user input back to an HTML page can lead to cross site scripting.
4. User input used as part of running commands on the server can lead to arbitrary command execution.
5. ...

You see, there is absolutely nothing you need to be concerned about with user input. Rather, you need to make sure that user input can't be "injected" into SQL, buffer, HTML or command executions you are making on the server.

Also, you need to make sure that user input actually meets the type specifications of your backend (ie. people can easily manipulate your inputs to send anything back to the server, which can lead to exceptions being generated on the backend). And finally, users can frequently manipulate parameters to spoof their identity if you are poorly linking client requests to backend authorized transactions.

I don't know if this answers your question or if that's the kind of answer you are looking for but I usually pass the posted variables to mysql_real_escape_string which escapes all the special characters and prevents injection.