While there is a lot of information available on sanitizing, filtering, and validating forms for simple inputs like email addresses, phone numbers, and addresses, the security of your application ultimately relies on its weakest link. What if your form includes a large textarea where users can write flexible, HTML-readable entries?
Take StackOverflow as an example - their textarea allows users to format text, include links, pictures, and other HTML elements when asking or answering questions. This means they have to permit HTML tags, special characters, and more. How do they ensure that no malicious content makes its way into their database, and how can you do the same?
In my web app, I've implemented the following security measures:
- Using PDO Prepared Statements for dynamic database inputs
- Limited production site database access to a user with minimal privileges
- Client-side validation (primarily for user convenience)
- Utilizing POST methods instead of GET
- Disabling error_display to prevent probing by malicious users
Although server-side validation is recommended, it could restrict what users are able to submit. For instance, filtering out HTML tags would disable links, images, and formatting. Output filtering using htmlentities poses a similar issue. Is there a more nuanced approach to address this problem?
What additional steps can I take to enhance security?
I should mention that all user submissions will undergo moderation before being displayed on the website. This process covers output filtering, but input filtering remains a concern.