I'll be working on a project that basically takes a UID and displays basic user info like courses taken. Seems simple, but I'd like to read suggestions as to how to best tackle this. I would like to protect against possible XSS attacks and SQL injections. Any suggestions? I have the option of developing in a LAMP setup and a Windows Server 2012/MSSQL.
What I've thought so far, in the LAMP:
- PHP page (e.g., main_page.php) that will read the GET value, escape any weird characters, and run query from an imported script file (e.g., require('my_db.inc');) .
- PHP script, my_db.inc, that will contain database connection info and functions to execute queries.
- The data returned to main_page.php will be displayed in a table.
Thanks in advance!