First of all, let me tell what I've done for security right now.
I've escaped all inputs. But, to remain further safe, I allow only certain characters in a field. A server-side validation checks that. The following is a list of fields and what characters I accept for example.
During registration:
- Name(alphabets and period)
- Username(alphanumeric characters, underscore and period)
- Password(alphanumeric characters, underscore and period)
- Phone(numbers only)
- Address(alpha-numeric, comma and period)
But, I can't find anything else to secure my application. I know password isn't an issue because irrespective of the characters entered, they will be hashed. So, I guess, I can accept any character. But, the main issue is for other fields. All these ridiculous validation, I guess, irritates my users to every bit.
But, the saddest thing starts when a user wants to post an article. For posting an article, there are 4 fields that need to be filled; Title, Summary, Article and Tags.
Just imagine how annoying it must be when the Title allows nothing but alphabets, space and numbers(!,? also). And, the field "Summary" also accepts the same as the Title. And, all this simply so that I can secure the web application! Ridiculous, isn't it?
For the article field, I've used ckeditor(http://ckeditor.com/). So, I haven't done anything as I guess it does the escaping, converting to HTMLchars and all by itself.
Now, the article field accepts Unicode characters(I mean characters in other scripts) but the title and summary doesn't. And, most of my users don't publish in English. So, in a way, the application is being useless.
So, this is basically an issue of making it user-friendly vs. security. I know there are other much better ways of ensuring security than what I've done and that's what I wanna ask you people.
I was thinking that since I don't "Select" any data on any of the above parameters(title, tags, summary, address), I can simply escape the characters and convert them to HTMLchars if they are printed on a page somewhere. But I'm not so sure if that much will be secure enough. Will it?
So, this is all! I just need something stronger to prevent SQL injection(and XSS). I know that using Prepared Statements or PDO is the best thing to do. But, I'm an extremely new beginner in all this and I can't find any simple tutorial. If you know of any, it'd be really kind of you to tell me.
Yeah! That's all! And, one more thing, most of my users don't seem to activate their account(through the email the application sends). But, I guess, that's vital to verify the email. So, is there anything that can be done? Any better idea?
P.S.: I use SQL and not SQLi. And, if I need to convert my app. from sql to sqli, can I use some sort of scripts? I came across one at http://dev.mysql.com/get/Downloads/Cont ... /from/pick.
Sorry for my poor English and hope someone will help!