How do you protect against malicious code in web forms?

Question

I understand this is probably going to sound like an extremely rudimentary question to some of the more senior people on here but, I had to ask. I understand Google is there for my use but, I wanted to make sure I found the right answer. My friend is concerned that when we post a coming soon page for our project that someone could post malicious code into our web form (username, dob, email, contact information sort of web form) and he wants to know what's the best way to protect against such malicious code injections.

Do you just get SSL protection on your database or is there something more programming intensive we need to produce to protect ourselves and the information we collect?

Answer 1

You sanitize your inputs before storing them, which generally means e.g. escaping special characters in sql or whatever before building a query.

Pretty much every language and platform for building web applications provides ways for you to do this. Typically you'll use whatever version of parameterized queries your infrastructure provides and it will handle escaping for you. But "sanitizing inputs" is the Google keyword here.

This has nothing to do with ssl at all. Ssl encrypts network traffic so third parties can't spy on it. The use of ssl is completely independent of your sites susceptibility to code injection attacks.

I would go into more detail about sanitizing inputs but without more information there's not much I can say, and also info about this is readily available in docs, tutorials, and examples all over the Internet.