RON_ron Posted December 6, 2010 Share Posted December 6, 2010 I googled to findout about preventing xss attacks. I came across the following script. <?php $new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES); echo $new; ?> My question is, how / where should I include this piece of code? Should I just add this in to all my php files that allows user inputs? Will that work? If I'm allowing users with 10 input fields should I require the $new repeated 10 times ($input1, $input2, $input3.....)? Quote Link to comment Share on other sites More sharing options...
requinix Posted December 6, 2010 Share Posted December 6, 2010 You should learn more about XSS and htmlentities (which is better than htmlspecialchars) before trying to guess what you should do and where you should do it. In general, to prevent various injections: - Do not alter form values with code like $_POST["value"] = htmlentities($_POST["value"]); (where you lose the old value and replace it with a "safe" version) - Use mysql_real_escape_string at the moment you put a value into a SQL query. Not before then*. Even better: use parameterized queries instead. - Use htmlentities or htmlspecialchars at the moment you put a value into your HTML. Not before then*. * Unless you're setting aside a special variable that is used for, and only for, your query/HTML. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.