what kind of code can damage my site

Question

I want to make sure rogue users can't damage my site or database by inserting code in my input fields. What kind of code should I use to test it? I know there are html tags like iframe but I don't know what to put inside to test it.

Thanks.

Answer 1

HTML

I think using htmlspecialchars(doc) (It's a function in PHP but other language may has similar function) or using other markup system(?)s like phpBB and MediaWiki would be work. Using HTML tags by black/whitelisting tags can work but it's quite dangerous - a cracker would harm your site by XSSing.

For example, you may think that only allowing p, br, img, font, a is OK (BTW, it's not good to use font when one can use CSS), but XSS can be done by input <img src="asdf" onerror="alert('hi')"/> or <a href="javascript:alert('hi')">.

SQL

You should aware of SQLi - injecting SQL commands.

An example of SQLi is :

A way to avoid being SQLi'd in PHP is using mysql_real_escape_string(doc).

Answer 2

Insert special characters, especially ', ?, ", $, ;, , and \. If your site doesn't fail on those, you're on the right track.

But the best is to use queries with parameters. You just pass the string as a parameter and the database takes care of escaping the characters for you. You can hardly make a mistake if you do that.

Answer 3

It really depends on the architecture and user interaction with your site. SQL injection into user entered fields is a typical attack on systems that use databases for user logins etc. Hence restrictions on characters entered into user fields and screening them before use.

"About your son ..." "Oh Little Billy !drop tables ?"

Answer 4

You could read about SQL Injections