$allowedForUniversalUsage = htmlEntities($_GET["potentially_super_malicious_code"], ENT_QUOTES);
Does script above help me against XSS and MySQLi injection?
My thoughts would be:
Protection against XSS: Yes
I mean. XSS means that someone would be able to input code, which will be shown publicly and will be executed, the
htmlEntities(). It converts actual code into encoded strings, it is as
<a href="#">Close</a> according to browser. I can print this, but it won't be executed so it can't really do anything anymore, can it?
Why do I ask, if I found an answer? I still have concerns. Will the line that I served at begin, block malicious content in
$_GET["potentially_super_malicious_code"] ? Single quotes, double quotes, penta quotes, triangles, daggers, Doritos everything that could be understood as code, will be parsed into textual-like form? No general way to bypass it?
Protection against MySQLi injection: Yes
Same as with XSS. Doesn't
"'s? Which are super essential? If I bound params, used MySQLi string escapes, allow only alphanumericals and force
htmlEntities() parsing, does this block every possible attempt of "bad things happening"?
I know that there are some very high-end website crackers who will find some hyper-super-duper 5TiB long SQL query, which will incinerate the script. But will it keep 99.9% of tryhards/script kiddies away? It is RELATIVELY impossible to break?