I've found a lot of info on sanitizing, filtering, and validating forms when it comes to simple inputs like email, phone numbers, addresses, etc.
But the security of your app is only as strong as your weakest link. What if your form also includes a large textarea, lets say, that you want your users to be able to write flexible, html readable entries?
For example this textarea on StackOverflow allows you to format text, include links, pictures, etc when you are asking a question or submitting an answer. Stack overflow takes user's inputs, put it into their database, then display it on the web: pictures, links, and all. Which means they have to allow html tags, special characters, and the like. How do they, and how can I, make sure there is no malicious content being put into my database?
To get specific, here are the security implementations I've added to my web app:
- PDO Prepared Statements when working with dynamic database inputs
- Limited my production site's database access to a user with less privileges (so if someone does gain control, they'll only be able to update, insert, or select)
- Client-side validation (pretty much useless in this context, it's just for users' convenience)
- Using POST, not GET
- Turned error_display off, so malicious users can't probe
I know the best practice is to filter and validate the POST[] using server-side validation, but doing that will limit what my users can submit. For example, filtering out all html tags will disable links, images, and formatting. Same problem with output filtering with htmlentities. Maybe there is a more nuanced way to do it?
What else can I do to secure this?
I should add: There will be a moderation process before any output is displayed. Each user entry will have a pair of eyes looking at it before it is allowed to be put on the website. That takes care of output filtering, but input filtering is still an issue.
