This is my first forum post at Envato. I hope you will help me in understanding reasons behind my issue.
Last week, I submitted a simple PHP script on CodeCanyon. It was my first script. The script was kept held for further review after initial review and after almost a week, I received an email today stating that I should check for security vulnerabilities. The exact message from the reviewer was “Please double check for common security vulnerabilities: SQL injection, XSS, CSRF etc”
But I am confused what I have done wrong. I don’t think that their decision is fair. My practices are these:
To prevent SQL injections, I use (PDO) parameterized queries (prepared statements with placeholders) and I know my queries are 100% secure against any kind of SQL injection
To prevent XSS attacks, I filter my all user inputs (both $_POST, $_GET) using PHP’s builtin function (htmlspecialchars($input, ENT_QUOTES, ‘UTF-8’)) and I know it is sufficient to prevent XSS attacks
CSRF attacks are impossible on my script as all (delete, update, insert) actions there are account level based so before performing any action, I ensure that user is logged in and he is authorized to perform the action (based on ownership)
Now I need the answers. Why else the reviewers demand? Can anyone help me please what I’m doing wrong in my above explained strategies? Thank you in advance for your help!