Ways I can protect my site excluding XSS and Sql injection?

Question

So, members of my website can post topics, replies, comments, edit them and so on. I always use htmlspecialchars and addslashes for html inputs to protect my site against XSS and SQL injection attacks. Is it enough or is there something more I miss?
Thanks.

Answer 1

There is a lot that can go wrong with a web application. Other than XSS and SQLi, there is:

1. CSRF - Cross Site Request Forgery
2. LFI/RFI - Local File Include/Remote File Include caused by include(), require()...
3. CRLF injection in mail()
4. Global Variable Namespace Poising commonly caused by register_globals,extract(), import_request_variables()
5. Directory Traversal: fopen(), file_get_contents(), file_put_conents()
6. Remote Code Execution with eval() or preg_replace() with /e
7. Remote Code Execution with passthru(), exec(), system() and ``

There is a whole family of vulnerabilities regarding Broken Authentication and Session Management which is apart of the OWASP Top 10 that every web app programmer must read.

A Study In Scarlet is a good black paper that goes over many of these vulnerabilities that I have listed.

However, there are also strange vulnerabilities like this one in Wordpress. The definitive authority on what is a vulnerability is the CWE system which classifies HUNDREDS of vulnerabilities, many of which can affect web applications.

Answer 2

You should use prepared statements (see PDO) to prevent SQL injection. When outputting the content htmlspecialchars() seems sufficient to prevent XSS.

Also take a look at these links for more ways to protect your site:

http://phpsec.org/projects/guide/

http://cwe.mitre.org/top25/#Listing

http://www.owasp.org/index.php/Top_10_2010-Main