有关XSS攻击和SQL注入的问题

Question

I'm new to web security .After spending time reading some blogs and community sites like SO ,I have found some techniques to be safe from XSS Attack and SQL Injection .But the problem is,most of that security related questions are very old.So,my question is

does my following code has any major security holes that can be bypassed by amateur or mid-level attacker(hacker) .

Is there anything else I can do to be safe from attack?By the way,I'm using HTMLPurifier to be safe from XSS Attack

PHP

require_once '/path/to/HTMLPurifier.auto.php';

$connect_dude=mysqli_connect('localhost','root','','user');

$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);

if(isset($_POST["sub"])){
  $name=$_POST["namex"];
  $email=$_POST["email"];
  $ques=$_POST["ques"];
  $clean_name = $purifier->purify($name);
  $clean_email = $purifier->purify($email);
  $clean_ques = $purifier->purify($ques);

  $stmt = mysqli_stmt_init($connect_dude);
     if(mysqli_stmt_prepare($stmt, 'INSERT INTO question (name,email,question) VALUES(?,?,?)')) {

        mysqli_stmt_bind_param($stmt, "sss", $clean_name, $clean_email, $clean_ques);
        mysqli_stmt_execute($stmt);
      }
}

HTML FORM

<div id="form">
  <form id="sub_form" action="ask.php" method="post" enctype="multipart/form-data">
     <p id="nam" class="indi">Name</p><input type="text" id="namex" name="namex" placeholder="Your Name" required></br>
     <p id="ema" class="indi">Email</p><input type="text" id="email" name="email" placeholder="Email" required></br>
     <p id="que" class="indi">Question</p><textarea id="ques" name="ques" placeholder="Question" required></textarea></br>
     <input type="submit" id="sub" name="sub" value="Send">
  </form>
</div>

Answer 1

The SQL stuff is fine, parameterised queries are the best-practice approach to prevent SQL injection.

The approach to XSS is... a bit weird.

HTMLPurifier is of use where you want to allow the user to input limited HTML markup. That can be reasonable for formattable freetext fields (like I'm guessing ques is) if you can't be bothered to go as far as providing your own custom mini-markup language like Markdown.

But do you really want the user to be able to input markup for all fields, including their name and e-mail address? Should I be able to have the name “Edw ard J r”? Are users going to have to enter & every time they want to use an ampersand?

A better approach is usually to accept plain text as it is, and then HTML-escape it at the point you insert it into an HTML page (eg with <?php echo htmlspecialchars($value); ?> ) so that the exact string entered by the user appears in the page. The fields where you deliberately allow markup (and so use HTMLPurifier instead of htmlspecialchars) are typically very much exceptional cases.

Note that if you are injecting into other contexts you need different escaping functions: for example if you are injecting into a JavaScript string in a <script> block then you need JS-string escaping and neither htmlspecialchars nor HTMLPurifier will help you with that.

Answer 2

Perhaps testing if each of the post variables are set and not just the sub one. Also, checking them in javascript as well before sending to php to rid the post of any unwanted characters. You can regex and test for empty strings in javascript for example.

The most checks - the better.

You can also use names that are not so common (abrv_page_name_email instead of simply "email").

Lots of stuff.

Regex and mysqli_real_escape_string are also common practice.