Which Type of Input is Least Vulnerable to Attack?

Question

Which type of input is least vulnerable to Cross-Site Scripting (XSS) and SQL Injection attacks.

PHP, HTML, BBCode, etc. I need to know for a forum I'm helping a friend set up.

Answer 1

We need to know more about your situation. Vulnerable how? Some things you should always do:

• Escape strings before storing them in a database to guard against SQL injections
• HTML encode strings when printing them back to the user from an unknown source, to prevent malicious html/javascript

I would never execute php provided by a user. BBCode/UBBCode are fine, because they are converted to semantically correct html, though you may want to look into XSS vulnerabilities related to malformed image tags. If you allow HTML input, you can whitelist certain elements, but this will be a complicated approach that is prone to errors. So, given all of the preceding, I would say that using a good off-the-shelf BBCode library would be your best bet.