Xantomen
commented
8 years ago Using $property = mysqli_real_escape_string($con,$property); in every POST variable
I guess that's enough for now?
Closed Xantomen closed 8 years ago
Xantomen
commented
8 years ago Using $property = mysqli_real_escape_string($con,$property); in every POST variable
I guess that's enough for now?
Xantomen
commented
8 years ago if you do a replace of < with < before storing it to the db, then all should be fine (that way you strip out all html tags, to prevent XSS and CSRF) alotugh with the system oyu are using now it's not an issue, if in future you change it so it doesn't use jquery's .val() to write the content, but soemthing like innerhtml or static loading, then having hte actual brackets could be ... very bad -Stefan
Xantomen
commented
8 years ago I am not using that last piece of advice for the moment, for readability and to reduce on time chasing around special characters when saving and loading. Will in the future if necessary.
Also, you are currently using .val to set values, so that's safe, but for future safety, htmlencode values before sending them to the server... or at least replace all < with < becasue liek this you could have people injecting scripts into their tamplates (having worked as security consultant for years, this are the things i checked first Emoticono tongue ) -Stefan