I have a problem that leaves me vulnerable when it comes to registering new users in my database. I wanted to know this: 1. Scripts in register, 2. Accents in register, 3. Special characters, 4. Spaces in name
1. <script>alert("alerta")</script>
2. ñàó
3. )(/&%$·"!ª[]{}-_,'^
4. hola k ase
If necessary, I am creating the system in MySQLi oriented to objects.
To prevent an XSS attack (Cross Site Scripting) you can filter the data with htmlspecialcharts
If we obtain the data by $_GET , $_POST we must always filter the data before adding them to the database.
If there are different sources of data entry, the best way is to show the data, filter before being printed.
Example of an XSS attack
//Test Ataque XSS
$str='<script>alert("hacked")</script>';
//Sin protección XSS
echo $str;
//Protección XSS - Cross Stie Scripting
echo htmlspecialchars($str, ENT_QUOTES, 'UTF-8');
How you can observe with echo $str in the browser will skip a message box with the text "hacked", to prevent that, use htmlspecialchars...
You can use the "htmlspecialcharts" function of php to avoid injections of code! That can help you when registering users.
Cross-site scripting or XSS in a set of vulnerabilities that affect browsers, based on scripts in the client side; NO can directly affect your database (be it Mysql or other).
But if you allow clients to save scripts to your tables, it may be convenient to clean up what you return from Mysql / PHP to the client's browser controlling what is or is not permissible.
You could, for example, change all tag <script> with a regular expression to prevent it from running in the client's browser.