Rookie security question

[Goose87]

Hi Guys,

 

This is a pretty simple question to the pros, but I need help with security on my site.

 

I have got the sql injection protected with the mysql_real_escape_string, but I found out the other evening about XSS.  It could be potentially very damaging, and it would be pretty easy to fix (as far as I'm aware).

 

I've read many articles on it, but none of them were of any use to me! I just want someone to explain it in simple terms with a worked example for me.

 

An example of where it fails for me is on a message system on my website.  Users could send a message with the javascript in, and it loads up on the other end.  what i need is to do the following:

 

1) Stop the javascript from being saved to the db

2) Stop the user from entering html code that will be saved in the database.

 

I think it has something to do with addslashes and strip slashes, but I don't understand it that well.

 

I would really appreciate it if someone could spend a few minutes giving a logical response.

 

Kind Regards,

James.

[MadTechie]

I don't have much time so this is a quickie

 

read up on strip_tags() and htmlentities() and htmlspecialchars()

[dropfaith]

this probably isnt the cleanest code but apparently works as ive posted for people to test my security and passed

 

$cContact = mysql_real_escape_string($_POST['Contact']);

$Contact = htmlentities($cContact,ENT_QUOTES,"utf-8");

[CroNiX]

Someone else posted this video earlier and Its pretty good.  Its about 46 minutes long.  Look for the PHP Security video....

http://videos.code2design.com/

 

This Tutorial covers Cross Site Scripting (XSS), Cross Site Forgery Requests (CSFR), SQL Injection, globals, and much more!