deansaddigh Posted May 13, 2010 Share Posted May 13, 2010 Hi guys, question really im in the process of finishing up my site. I wanted to know im using javascript to validate forms, but it really annoys me that some one can post this <script>alert('Welcome to my Web Site!'); </script> which obviously isn't good, when the form gets processed im using things like //Get personal details from enrolment form $firstname = mysql_real_escape_string($_POST["first_name"]); $surname = mysql_real_escape_string($_POST["surname"]); $email = mysql_real_escape_string($_POST["email"]); $subject = mysql_real_escape_string($_POST["subject"]); $question = mysql_real_escape_string($_POST["question"]); And then inserting to db, can anyone add any info to what i can do to prevent java script being sent through to my db. And any other things they would do that i havent. Thanks alot Link to comment https://forums.phpfreaks.com/topic/201615-differnce-between-server-side-validation-and-the-other-one-lol/ Share on other sites More sharing options...
Mchl Posted May 13, 2010 Share Posted May 13, 2010 strip_tags Link to comment https://forums.phpfreaks.com/topic/201615-differnce-between-server-side-validation-and-the-other-one-lol/#findComment-1057667 Share on other sites More sharing options...
deansaddigh Posted May 13, 2010 Author Share Posted May 13, 2010 Thank you. So would it besomething like this //Get personal details from enrolment form $firstname = mysql_real_escape_string($_POST["first_name"]); $surname = mysql_real_escape_string($_POST["surname"]); $email = mysql_real_escape_string($_POST["email"]); $subject = mysql_real_escape_string($_POST["subject"]); $question = mysql_real_escape_string($_POST["question"]); strip_tags($firstname); strip_tags($surname); strip_tags($email); strip_tags($subject); strip_tags($question); Link to comment https://forums.phpfreaks.com/topic/201615-differnce-between-server-side-validation-and-the-other-one-lol/#findComment-1057669 Share on other sites More sharing options...
Mchl Posted May 13, 2010 Share Posted May 13, 2010 No. Read the manual again. (hint: why are you using it differently than mysql_real_escape_string() ?) Link to comment https://forums.phpfreaks.com/topic/201615-differnce-between-server-side-validation-and-the-other-one-lol/#findComment-1057687 Share on other sites More sharing options...
deansaddigh Posted May 13, 2010 Author Share Posted May 13, 2010 Sorry for the delay, had to pop out, i believe i have done it. Is this correct //Get personal details from enrolment form $firstname = mysql_real_escape_string($_POST["first_name"]); $surname = mysql_real_escape_string($_POST["surname"]); $email = mysql_real_escape_string($_POST["email"]); $subject = mysql_real_escape_string($_POST["subject"]); $question = mysql_real_escape_string($_POST["question"]); //strip tags to prevent script being sent $firstname = strip_tags($firstname); $surname = strip_tags($surname); $email = strip_tags($email); $subject = strip_tags($subject); $question = strip_tags($question); Seems to work so thank you Link to comment https://forums.phpfreaks.com/topic/201615-differnce-between-server-side-validation-and-the-other-one-lol/#findComment-1057753 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.