So I am trying to make a horse game using php and mysql and need some help with sql injections and xss vulnerability. So I am planning on validating the data from all of the forms by doing the following: Using mysql_real_escape_string for all information from the forms and also by using the following statement: if(!is_numeric(INPUT HERE)) die("Please choose a number."); for anything with numbers. Is this going to be enough to prevent any sort of attack? I couldn't find too much on xss attacks that was easy to understand. Is there anything else I can do to help protect my data. Thanks!
Take a look at the sanitize filters (if you have PHP 5.2.0 or above) That is better than just using mysql_real_escape_string You should look at a better method of handling errors too than just stopping the script with the die() statement XSS shouldn't be an issue if you don't use things like $_SERVER['PHP_SELF'] in your form actions Take a look at the security articles on the addedbytes.com http://www.addedbytes.com/writing-secure-php/writing-secure-php/ http://www.addedbytes.com/writing-secure-php/writing-secure-php-2/ http://www.addedbytes.com/writing-secure-php/writing-secure-php-3/ http://www.addedbytes.com/writing-secure-php/writing-secure-php-4/
I'd recommend downloading the Acunetix Web Vulnerability Scanner. It's a tool that will check a website for any security holes. It even comes with a firefox plugin that lets you run multiple tests in the background. It's a very useful tool that gives you a lot of information about each security hole, how the website can be hacked and how it can be repaired. There's a free version that checks for SQL and XSS vulnerabilities, a full version that performs a lot more checks but will cost you a few kidneys and there's a cracked version on torrent sites.