I have a script that is going to give each user their own page. I have it to where they can style their page by entering some CSS into a form which gets inserted to mysql passing through mysql_real_escape_string() first. Then when called the slashes are taken back out to output the code. So my question is, what are the security risks associated with this? Could any harm be done by letting a user input his own CSS?
mysql_real_escape_string() will prevent SQL injection attacks. Depending on what exactly your site does, there might still be cross-site scripting vulnerabilities. (Like if someone put malicious code in their CSS, and then your site displayed that to users.)
I was hoping to just let people change the layout/colors of the site......sort of like how myspace and others do. So How does myspace allow people to do their own CSS with worrying about cross-site scripting vulnerabilities?
If you're only allowing people to change colors, you should probably be fine using htmlentities() or simply removing all non-alphanumeric characters.