I use several forms on my site to send data to MySQL.
Which is the best way / method to validate开发者_StackOverflow my form, if I don't want to users send any script to the database through my forms?
Forget about jQuery. You can't use anything running on the client to make things safe — the client can always override it.
You need to deal with the data on the server. See How can I prevent SQL injection in PHP? to protect your database and What are the best practices for avoiding xss attacks in a PHP site to protect your pages.
Is this ever a loaded question... and covers more than can fit in one answer.
If you have to ask a question in the general terms you did, I'd highly recommend finding a mentor to help you as this is not a topic you really want to learn-by-doing.
Several, similar questions have been asked and I highly encourage you to seek them out and read them. Also, seek out some quality blog posts on this and/or a community centered around a particular product that is similar to the one you are building to see how they did it.
Some tips in the meantime:
- I noticed the
jquery
tag... JavaScript validation should be the 2nd thing you look at and more as a means of providing immediate feedback for the user. Because it can be turned off at the client side you cannot rely on any JavaScript validation being done. - Strictly check data types on the server. If you're supposed to be getting a number back, make sure it is really a number. If its one of a handful of options, check and only accept the available options.
- Do not just accept data from a form control - even if its a select box or a hidden field. People will play silly buggers with your form data and you just cannot rely on getting back what you think you'll get back.
To prevent SQL injection, use prepared statements. To prevent HTML injection, check out htmlspecialchars
, htmlentities
, strip_tags
and the filter functions, or use a 3rd party library to strip all but whitelisted tags & attributes.
精彩评论