[SOLVED] Cross Site Scripting(XSS):

[dropfaith]

these errors or holes rather were brought up today whats the best way to fix these (i dont care if the user cant enter any code at all i wouldnt mind <p> tags</p> just for formating but i can work around that

 

just looking to secure up my site a bit more

 

 

Cross Site Scripting(XSS):

You can submit ">code when adding rides.

 

 

<?php
   // includes
    include("../template/conf.php");
    // set up error list array
    $errorList = array();
    $count = 0;

    // validate text input fields
    $Contact = mysql_escape_string($_POST['Contact']);
    $Title = mysql_escape_string($_POST['Title']);
    $About = mysql_escape_string($_POST['About']);
    $Destination  = mysql_escape_string($_POST['Destination']);
    $needoffer = mysql_escape_string($_POST['needoffer']);
    $Origin = mysql_escape_string($_POST['Origin']);
    $Date = mysql_escape_string($_POST['Date']);

    // check for errors

    // if none found...

    if (sizeof($errorList) == 0)

    {

        // open database connection

        $connection = mysql_connect($host, $user, $pass) or die ("Unable to connect!");

        // select database

        mysql_select_db($db) or die ("Unable to select database!");

        // generate and execute query

        $query = "INSERT INTO rideshare (Contact, Title, About, Destination, needoffer, Origin, Date) VALUES('$Contact','$Title','$About','$Destination','$needoffer','$Origin','$Date')";

        $result = mysql_query($query) or die ("Error in query: $query. " . mysql_error());
?>

 

i think thats all the code needed  its just my insert self submitting form

[waynew]

If you're using a utf-8 charset:

 

$clean = htmlentities($dirty_string,ENT_QUOTES,"utf-8");